b'Department of Homeland Security\n   Of\xef\xac\x81ce of Inspector General\n\n\n             Evaluation of DHS\xe2\x80\x99 Information Security \n\n                  Program for Fiscal Year 2011 \n\n\n\n\n\nOIG-11-113                                       September 2011\n\x0c                                                           Office of Inspector General\n\n                                                           U.S. Department of Homeland Security\n                                                           Washington, DC 20528\n\n\n\n\n                                     September 27, 2011\n\n                                        Preface\n\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was\nestablished by the Homeland Security Act of 2002 (Public Law 107-296) by\namendment to the Inspector General Act of 1978. This is one of a series of audit,\ninspection, and special reports prepared as part of our oversight responsibilities to\npromote economy, efficiency, and effectiveness within the Department.\n\nThis report addresses the strengths and weaknesses of controls over the information\nsecurity program and practices at DHS. It is based on interviews with selected program\nofficials at the Department and components, direct observations, a review of applicable\ndocuments, and system testing.\n\nThe recommendations herein have been developed to the best knowledge available to\nour office, and have been discussed in draft with those responsible for\nimplementation. We trust this report will result in more effective, efficient, and\neconomical operations. We express our appreciation to all of those who contributed\nto the preparation of this report.\n\n\n\n\n                                     Frank W. Deffer\n                                     Assistant Inspector General\n                                     Information Technology Audits\n\x0cTable of Contents/Abbreviations\n\n\nExecutive Summary .............................................................................................................1 \n\n\nBackground ..........................................................................................................................2 \n\n\nResults of Independent Evaluation ......................................................................................3 \n\n\nRecommendations..............................................................................................................22 \n\n\nManagement Comments and OIG Analysis ......................................................................22 \n\n\nAppendices\n     Appendix A:                 Purpose, Scope, and Methodology.................................................25 \n\n     Appendix B:                 Management Response to Draft Report .........................................27 \n\n     Appendix C:                 System Inventory ...........................................................................29 \n\n     Appendix D:                 Status of Risk Management Program ............................................32 \n\n     Appendix E:                 Status of Configuration Management Program .............................34 \n\n     Appendix F:                 Status of Incident Response and Reporting Program ....................36 \n\n     Appendix G:                 Status of Security Training Program..............................................38 \n\n     Appendix H:                 Status of Plans of Actions and Milestones Program ......................40 \n\n     Appendix I:                 Status of Remote Access Program.................................................42 \n\n     Appendix J:                 Status of Account and Identity Management Program ..................44 \n\n     Appendix K:                 Status of Continuous Monitoring Program ....................................46 \n\n     Appendix L:                 Status of Contingency Planning Program ......................................47 \n\n     Appendix M:                 Status of Agency Program to Oversee Contractor Systems...........49 \n\n     Appendix N:                 Status of Security Capital Planning Program ...................................51 \n\n     Appendix O:                 Major Contributors to this Report ..................................................53 \n\n     Appendix P:                 Report Distribution ........................................................................54 \n\n\nAbbreviations\n     ATO                         authority to operate   \n\n     CBP                         Customs and Border Protection \n\n     CIO                         Chief Information Officer    \n\n     CIS                         Citizenship and Immigration Services\n\n     CISO                        Chief Information Security Officer    \n\n     CPIC                        Capital Planning and Investment Control\n\n     DHS                         Department of Homeland Security      \n\n     FDCC                        Federal Desktop Core Configuration      \n\n     FEMA                        Federal Emergency Management Agency\n\n     FIPS                        Federal Information Processing Standards  \n\n     FISMA                       Federal Information Security Management Act\n\n     FLETC                       Federal Law Enforcement Training Center\n\n\x0cTable of Contents/Abbreviations\n\n  FY        fiscal year\n  HSPD-12   Homeland Security Presidential Directive 12\n  ICE       Immigration and Customs Enforcement\n  I&A       Office of Intelligence and Analysis\n  ISO       Information Security Office\n  IT        information technology\n  MGMT      Management Directorate\n  NIST      National Institute of Standards and Technology\n  NPPD      National Protection and Programs Directorate\n  OIG       Office of Inspector General\n  OMB       Office of Management and Budget\n  PIV       Personal Identity Verification\n  POA&M     Plan of Actions and Milestones\n  S&T       Science and Technology\n  SP        Special Publication\n  TSA       Transportation Security Administration\n  USCG      United States Coast Guard\n  USGCB     United States Government Configuration Baseline\n  USSS      United States Secret Service\n\x0cOIG \n\nDepartment of Homeland Security\nOffice of Inspector General\n\nExecutive Summary\n                  We conducted an independent evaluation of the Department of\n                  Homeland Security (DHS) information security program and\n                  practices to comply with the requirements of the Federal\n                  Information Security Management Act. In evaluating DHS\xe2\x80\x99\n                  progress in implementing its agency-wide information security\n                  program, we specifically assessed the Department\xe2\x80\x99s plans of action\n                  and milestones, security authorization processes, and continuous\n                  monitoring programs. Fieldwork was performed at both the\n                  program and component levels.\n\n                  DHS continues to improve and strengthen its security program.\n                  During the past year, DHS developed and implemented the fiscal\n                  year 2011 information security performance plan to focus on areas\n                  that the Department would like to improve upon throughout the\n                  year. Specifically, DHS identified in the performance plan several\n                  key elements that are indicative of a strong security program, such\n                  as plans of action and milestones weakness remediation.\n\n                  While these efforts have resulted in some improvements,\n                  components are still not executing all of the Department\xe2\x80\x99s policies,\n                  procedures, and practices. In addition, our review identified the\n                  following more significant exceptions to a strong and effective\n                  information security program: (1) systems are being authorized\n                  though key information is missing or outdated; (2) plans of action\n                  and milestones are not being created for all known information\n                  security weaknesses or mitigated in a timely manner; and (3)\n                  baseline security configurations are not being implemented for all\n                  systems. Additional information security program areas that need\n                  improvement include configuration management, incident\n                  detection and analysis, specialized training, account and identity\n                  management, continuous monitoring, and contingency planning.\n\n                  We are making five recommendations to the Department. The\n                  Chief Information Security Officer concurred with all of our\n                  recommendations and has already begun to take actions to\n                  implement them. The Department\xe2\x80\x99s response is summarized and\n\n\n            Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2011\n\n                                          Page 1\n\x0c               evaluated in the body of this report and included, in its entirety, as\n               appendix B.\n\n\nBackground\n        Due to the increasing threat to information systems and the highly\n        networked nature of the federal computing environment, the Congress, in\n        conjunction with the Office of Management and Budget (OMB), requires\n        an annual review and reporting of agencies\xe2\x80\x99 compliance with Federal\n        Information Security Management Act (FISMA) requirements. FISMA\n        focuses on the program management, implementation, and evaluation of\n        the security of unclassified and national security systems.\n\n        Recognizing the importance of information security to the economic and\n        national security interests of the United States, the Congress enacted Title\n        III of the E-Government Act of 2002 (Public Law 107-347,\n        Sections 301-305) to improve security within the federal government.\n        Information security means protecting information and information\n        systems from unauthorized access, use, disclosure, disruption,\n        modification, or destruction. Title III of the E-Government Act, entitled\n        FISMA, provides a comprehensive framework to ensure the effectiveness\n        of security controls over information resources that support federal\n        operations and assets.\n\n        FISMA requires each federal agency to develop, document, and\n        implement an agency-wide security program. The agency\xe2\x80\x99s security\n        program should protect the information and the information systems that\n        support the operations and assets of the agency, including those provided\n        or managed by another agency, contractor, or other source. As specified\n        in FISMA, agency heads are charged with conducting an annual\n        evaluation of information programs and systems under their purview, as\n        well as an assessment of related security policies and procedures. Offices\n        of Inspector General (OIG) must independently evaluate the effectiveness\n        of an agency\xe2\x80\x99s information security program and practices on an annual\n        basis.\n\n        OMB issues updated instructions annually for agency and OIG reporting\n        under FISMA. Our annual FISMA evaluation summarizes the results of\n        our review of DHS\xe2\x80\x99 information security program and practices based on\n        the draft reporting guidance issued in June 2011.\n\n\n\n\n         Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2011\n\n                                       Page 2\n\x0c                  The Chief Information Security Officer (CISO) leads the Information\n                  Security Office (ISO) and is responsible for managing DHS\xe2\x80\x99 information\n                  security program. To aid in managing its security program, the CISO\n                  developed the Fiscal Year 2011 DHS Information Security Performance\n                  Plan to enhance DHS\xe2\x80\x99 information security program and continue to make\n                  additional improvements on existing processes, such as continuous\n                  monitoring, system security authorizations, and plan of actions and\n                  milestones (POA&M) remediation. DHS uses enterprise management\n                  tools to collect and track data related to all unclassified and classified\n                  POA&M activities, including weaknesses identified during\n                  self-assessments and the security authorization process.1 DHS\xe2\x80\x99 enterprise\n                  management tools also collect data on other FISMA metrics, such as the\n                  number of systems that have implemented DHS\xe2\x80\x99 security baseline\n                  configurations and the number of employees who have received\n                  information technology (IT) security training.\n\nResults of Independent Evaluation\n                  Based on the requirements outlined in FISMA and the annual reporting\n                  instructions, our independent evaluation focused on 11 key areas of DHS\xe2\x80\x99\n                  information security program. Specifically, we reviewed the\n                  Department\xe2\x80\x99s system inventory, risk management, configuration\n                  management, incident response and reporting, security training, POA&M,\n                  remote access, account and identity management, continuous monitoring,\n                  contingency planning, and Capital Planning and Investment Control\n                  (CPIC) programs across 13 components and offices.2 We separated the\n                  results of our evaluation into these key areas. For each area, we identified\n                  the progress that DHS has made since our fiscal year (FY) 2010 evaluation\n                  and any issues that need to be addressed to be more successful in the\n                  respective information security program area.\n\n\n\n1\n   According to National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37 -\n   Guide for Applying the Risk Management Framework to Federal Information Systems - A Security Life\n   Cycle Approach, Revision 1, security authorization is the official management decision given by a senior\n   organizational official to authorize operation of an information system and to explicitly accept the risk to\n   organizational operations and assets, individuals, other organizations, and the nation based on the\n   implementation of an agreed-upon set of security controls.\n2\t\n   Customs and Border Protection (CBP), Citizenship and Immigration Services (CIS), Federal Emergency\n   Management Agency (FEMA), Federal Law Enforcement Training Center (FLETC), Immigration and\n   Customs Enforcement (ICE), Office of Intelligence and Analysis (I&A), Management Directorate\n   (MGMT), National Protection and Programs Directorate (NPPD), OIG, Science and Technology (S&T),\n   Transportation Security Administration (TSA), United States Coast Guard (USCG), and United States\n   Secret Service (USSS).\n\n\n\n                    Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2011\n\n                                                    Page 3\n\x0c                   This report also includes the results of a limited number of systems\n                   evaluated during the year and our on-going financial statement review.3 In\n                   addition, it includes the results of our security audits at NPPD and TSA.4\n\n           OVERALL PROGRESS\n\n                   DHS continued to improve its information security program during\n                   FY 2011. For example, the CISO:\n\n                                 Developed the DHS IT Security Continuous Monitoring\n                                 Strategy: An Enterprise View in January 2011. This document\n                                 outlined the Department\xe2\x80\x99s strategy for implementing an\n                                 enterprise-wide continuous monitoring and response capability\n                                 for IT security.\n\n                                 Revised the Department\xe2\x80\x99s baseline IT security policies and\n                                 procedures in DHS Sensitive Systems Policy Directive 4300A\n                                 and its companion, DHS 4300A Sensitive Systems Handbook to\n                                 reflect the changes made in DHS security policies and various\n                                 NIST guidance.\n\n                                 Revised the FISMA scorecard to better evaluate the\n                                 Department\xe2\x80\x99s information security program with increased\n                                 emphasis on continuous monitoring, further aligning with\n                                 OMB and NIST priorities. The revised FISMA scorecard\n                                 includes asset reporting, security authorization, weakness\n                                 management, vulnerability management, configuration\n                                 management, Security Operations Center effectiveness, and log\n                                 integration. These seven metrics contribute to the components\n                                 overall information security grade. See figure 1 for the\n                                 Department\xe2\x80\x99s July 2011 information security scorecard.\n\n\n\n\n3\t\n     Information Technology Management Letter for the FY 2010 DHS Financial Statement Audit\n     (OIG-11-103, August 2011).\n4\t\n     Planning, Management, and Systems Issues Hinder DHS\' Efforts To Protect Cyberspace and the Nation\'s\n     Cyber Infrastructure (OIG-11-89, June 2011) and Improvements in Patch and Configuration\n     Management Controls Can Better Protect TSA\xe2\x80\x99s Wireless Network and Devices (OIG-11-99,\n     July 2011).\n\n\n\n                      Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2011\n\n                                                    Page 4\n\x0c                         Figure 1: July 2011 FISMA Information Security Scorecard \n\n\n\n\n\n           OVERALL ISSUES TO BE ADDRESSED\n\n                   Despite the actions taken by the CISO to improve the Department\xe2\x80\x99s\n                   overall information security program, we identified several issues that\n                   should be addressed in order to strengthen DHS\xe2\x80\x99 security posture. For\n                   example, the CISO did not issue the Fiscal Year 2011 DHS Information\n                   Security Performance Plan until June 2011. The delay in issuing the\n                   performance plan has caused confusion among components, as they were\n                   not sure which area of their information security programs they should\n                   focus on, or which security controls they should test. One component\n                   indicated that it had to delay its annual key control reviews until DHS\n                   finalized the performance plan. Thus, the delay in issuing the\n                   performance plan limited the components\xe2\x80\x99 ability to complete their testing\n                   requirements in FY 2011. According to ISO personnel, the delay in\n                   issuing the performance plan was caused by OMB\xe2\x80\x99s revised FISMA\n                   reporting requirements, which emphasized \xe2\x80\x9ccontinuous monitoring.\xe2\x80\x9d5\n\n\n\n5\n    NIST defines \xe2\x80\x9ccontinuous monitoring\xe2\x80\x9d as maintaining ongoing awareness of information security,\n    vulnerabilities, and threats to support organizational risk management decisions. Continuous monitoring,\n    which is a critical aspect of the organization-wide risk management process, is most effective when\n    automated mechanisms are employed where possible. It can support frequent updates to security plans,\n    security assessment reports, POA&M, hardware and software inventories, and other system information.\n    In addition, a well defined continuous monitoring strategy supports operational processes, such as\n    incident response, configuration management, identity and access management, and strategies for\n    addressing threats.\n\n\n\n                      Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2011\n\n                                                    Page 5\n\x0c                   Further, we determined that components are not satisfying all of the\n                   Department\xe2\x80\x99s information security policies, procedures, and practices. For\n                   example, identified deficiencies (i.e., POA&M, security authorization)\n                   revealed that not all components are sustaining their information security\n                   programs on a year-round basis or performing continuous monitoring as\n                   required. In addition, we determined that components have not\n                   implemented all of the information system baseline configurations in\n                   accordance with DHS policies and procedures. For example, we identified\n                   the following deficiencies:\n\n                                Components are operating information systems whose\n                                authority to operate (ATO) has expired. For example, we\n                                identified 49 unclassified systems with expired ATOs, and\n                                some systems have been operating without a valid ATO since\n                                2008.\n\n                                As of July 2011, CIS is maintaining an overall FISMA\n                                information security score of 34%.\n\n                                Components have not incorporated all known information\n                                security weaknesses into POA&Ms for the Department\xe2\x80\x99s\n                                unclassified and classified systems.\n\n                                Artifacts supporting authorization of unclassified and classified\n                                systems were missing key information or were outdated,\n                                restricting the ability of authorizing officials to make credible\n                                risk-based decisions.\n\n                                Components have not implemented all required DHS baseline\n                                configuration, Federal Desktop Core Configuration (FDCC),\n                                and United States Government Configuration Baseline\n                                (USGCB) settings on the information systems selected for\n                                review. 6\n\n\n\n\n6\n    OMB Memorandum M-07-11 Implementation of Commonly Accepted Security Configurations for\n    Windows Operating Systems requires federal agencies to implement minimum baseline FDCC settings on\n    all Microsoft Windows XP workstations. USGCB replaces FDCC and provides the baseline settings for\n    Microsoft Windows 7 and Internet Explorer 8 that federal agencies are required to implement for security\n    reasons.\n\n\n\n                     Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2011\n\n                                                   Page 6\n\x0cSystem Inventory\n\n      DHS continues to maintain and update its FISMA systems inventory,\n      including agency and contractor systems, on an annual basis. In addition,\n      DHS conducts site visits as part of its annual inventory update process.\n\n             PROGRESS\n\n                  As of June 2011, DHS has a total of 625 systems, which\n                  include a mix of major applications and general support\n                  systems that are classified as \xe2\x80\x9cSensitive But Unclassified,\xe2\x80\x9d\n                  \xe2\x80\x9cSecret,\xe2\x80\x9d and \xe2\x80\x9cTop Secret.\xe2\x80\x9d\n\n                  As of June 2011, DHS has conducted 102 component site visits\n                  as part of the annual refresh process.\n\n             ISSUES TO BE ADDRESSED\n\n                  As of July 2011, DHS has not established an automated\n                  capability to keep track of the hardware devices and software\n                  deployed at all component sites.\n\n                  DHS did not determine whether components had developed\n                  new classified systems during site visits as part of the annual\n                  inventory refresh process. As a result, DHS cannot be sure that\n                  it has an accurate inventory of its classified systems.\n\n             See appendix C, System Inventory and appendix M, Status of\n             Agency Program to Oversee Contractor Systems.\n\nRisk Management Program\n\n      As part of its risk management program, DHS follows the guidance\n      outlined in NIST SP 800-37, Revision 1, Guide for Applying the Risk\n      Management Framework to Federal Information Systems: A Security Life\n      Cycle Approach and incorporated the security authorization process into\n      the DHS Sensitive Systems Policy Directive 4300A. For national security\n      systems, components follow the Defense Information Assurance\n      Certification and Accreditation Process and DHS Sensitive Systems Policy\n      Directive 4300B policy. Components are required to use the Department\xe2\x80\x99s\n      enterprise-wide management tools to incorporate NIST recommended\n      security controls required for its system security authorizations. In\n      addition, DHS requires components to upload security artifacts into its\n      enterprise management tools to monitor the progress in authorizing\n\n\n       Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2011\n\n                                     Page 7\n\x0c                   systems to operate. The artifacts include: ATO letter, system security\n                   plan, security assessment report, security test and evaluation, contingency\n                   plan, contingency plan test results, Federal Information Processing\n                   Standards (FIPS) 199 determination, E-authentication determination,\n                   privacy threshold analysis/privacy impact assessment, and NIST\n                   SP 800-53 self-assessments.\n\n                   For some of the systems that were granted ATO, the artifacts that are\n                   required to support the authorization were either missing, incomplete, or\n                   outdated. We identified a similar issue in our FY 2008, FY 2009, and FY\n                   2010 FISMA reports.7\n\n                            PROGRESS\n\n                                The overall quality of security authorization documentation has\n                                improved in FY 2011, compared with FY 2010. For example,\n                                we identified fewer deficiencies within the security\n                                authorization documentation for the systems that were selected\n                                for review.\n\n                            ISSUES TO BE ADDRESSED\n\n                                We selected 28 systems from 12 components and offices to\n                                evaluate the quality of documents that support DHS\xe2\x80\x99 security\n                                authorization process. Our review revealed that the component\n                                CISOs have not performed adequate reviews to ensure that the\n                                artifacts contain the required information to meet all applicable\n                                DHS, OMB, and NIST guidelines. For some of the systems\n                                that were granted ATO, the artifacts that are required to\n                                support the authorization were either missing, incomplete, or\n                                outdated. Without this information, agency officials cannot\n                                make credible, risk-based decisions on whether to authorize the\n                                system to operate. Specifically, we determined that:\n\n                                    \xef\xbf\xbd Two operational systems did not have signed ATO\n                                      letters.\n                                    \xef\xbf\xbd Components did not complete the FIPS-199\n                                      categorization worksheet tool correctly or did not\n                                      update the categorization for three systems. The FIPS\n                                      199 determination, when applied properly during the\n7\n    Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2008 (OIG-08-94, September 2008),\n    Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2009 (OIG-09-109, September 2009),\n    and Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2010 (OIG-11-01, October 2010).\n\n\n\n                     Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2011\n\n                                                   Page 8\n\x0c                                         risk assessment process, helps agency officials to select\n                                         applicable controls for the information systems.\n                                    \xef\xbf\xbd    For 17 system security plans, certain elements are\n                                         missing, including sections that describe management\n                                         plans, security controls, emergency changes, and\n                                         incident handling procedures. In addition, we identified\n                                         three instances where system security plans were out of\n                                         date. The system security plan should be current,\n                                         provide an overview of the information system, and\n                                         describe the security controls implemented or planned\n                                         to protect the system.\n                                    \xef\xbf\xbd    Contingency plans and/or testing reports for six systems\n                                         are missing certain elements, including the\n                                         identification of alternate processing facilities, or\n                                         restoration procedures, and data sensitivity handling\n                                         procedures at the alternate site or off-site storage.\n                                    \xef\xbf\xbd    Two systems have outdated or non-existing\n                                         memorandums of understandings with organizations\n                                         (external to the component) with which they are sharing\n                                         data.\n                                    \xef\xbf\xbd    Seven systems did not have completed and approved\n                                         privacy threshold analyses.\n\n                                During our NPPD audit, we reviewed the authorization\n                                packages for two systems to determine whether the systems\n                                were granted an ATO in compliance with applicable OMB,\n                                NIST, and DHS requirements. We reported in June 2011 that\n                                one system was operating without a valid ATO and its security\n                                documentation was outdated.8\n\n                            See appendix D for our assessment of DHS\xe2\x80\x99 Risk Management\n                            Program.\n\n                   Plans of Action and Milestones Program\n\n                            DHS requires components to create and maintain POA&Ms for all\n                            known IT security weaknesses. In addition, DHS performs\n                            automated reviews on its unclassified and classified POA&Ms for\n                            accuracy and completeness and the results are provided to\n                            components daily. Despite these efforts, components are not\n                            entering and tracking all IT security weaknesses in DHS\xe2\x80\x99\n\n8\n    Planning, Management, and Systems Issues Hinder DHS\' Efforts To Protect Cyberspace and the Nation\'s\n    Cyber Infrastructure (OIG-11-89, June 2011).\n\n\n\n                     Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2011\n\n\n                                                   Page 9\n\n\x0c                           unclassified and classified enterprise management tools, nor are all\n                           of the data entered by the components accurate and updated in a\n                           timely manner.\n\n                           PROGRESS\n\n                                Components have created POA&Ms for all 153 notice of\n                                findings and recommendations for the weaknesses identified\n                                during the FY 2010 financial statement audit.9\n\n                           ISSUES TO BE ADDRESSED\n\n                                Components are not correcting all deficiencies identified\n                                during DHS\xe2\x80\x99 POA&M quality reviews. Our review of DHS\xe2\x80\x99\n                                quality reports identified repeated deficiencies, such as\n                                inaccurate milestones, lack of resources to mitigate the\n                                weaknesses, and delays in resolving the POA&Ms that are not\n                                corrected by the components. We identified similar problems\n                                in our FY 2009 and FY 2010 FISMA reports.\n\n                                In FY 2011, DHS did not monitor the adequacy of the\n                                POA&Ms for its \xe2\x80\x9cTop Secret\xe2\x80\x9d systems. For example, DHS did\n                                not perform any reviews or oversight functions on \xe2\x80\x9cTop\n                                Secret\xe2\x80\x9d POA&Ms that are manually tracked outside of the\n                                Department\xe2\x80\x99s enterprise-management tools. As a result,\n                                DHS cannot ensure that POA&Ms have been created for the\n                                security vulnerabilities identified on its \xe2\x80\x9cTop Secret\xe2\x80\x9d systems\n                                and are managed in accordance with the Department\xe2\x80\x99s policies\n                                and procedures.\n\n                                DHS requires components to develop a POA&M for its\n                                operational systems that have not received an ATO. We\n                                identified instances where POA&Ms have not been created for\n                                operational systems that have not received an ATO. For\n                                example, one system has been operating since September 2008\n                                without a valid ATO and no POA&M has been created to\n                                obtain the authorization.\n\n                                Based on our analysis of data from DHS\xe2\x80\x99 enterprise\n                                management tools, component CISOs and information system\n                                security officers are not maintaining current information as to\n\n9\n    Information Technology Management Letter for the FY 2010 DHS Financial Statement Audit\n    (OIG-11-103, August 2011).\n\n\n\n                     Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2011\n\n\n                                                  Page 10\n\n\x0c           the progress of security weakness remediation, and not all\n           POA&Ms are being resolved in a timely manner. As of\n           June 30, 2011, we identified the following deficiencies for\n           POA&Ms that are classified as \xe2\x80\x9cSensitive But Unclassified\xe2\x80\x9d\n           and \xe2\x80\x9cSecret\xe2\x80\x9d.\n\n      Sensitive But Unclassified POA&Ms\n\n               \xef\xbf\xbd Components are not monitoring the status of their\n                 high-priority POA&Ms or reviewing them for\n                 consistency and completeness. DHS requires\n                 component CISOs to monitor the progress of the\n                 POA&M implementation and remediation efforts.\n                 Specifically, component CISOs are required to review\n                 and approve all priority 4 and priority 5 POA&Ms to\n                 ensure that the weaknesses are properly prioritized, and\n                 that appropriate resources have been identified for\n                 remediation. Priority 4 weaknesses are assigned to\n                 initial audit findings and priority 5 weaknesses are\n                 assigned to repeat audit findings. As of June 30, 2011,\n                 only 192 (68%) of 284 priority 4 and 5 POA&Ms have\n                 been reviewed and approved by a component CISO.\n               \xef\xbf\xbd Component CISOs are not updating information\n                 concerning all weaknesses where the estimated\n                 completion date has been delayed. Of the 4,559 open\n                 POA&Ms with estimated completion dates, 768 (17%)\n                 were delayed by at least 3 months (prior to\n                 April 1, 2011). Furthermore, 255 POA&Ms had an\n                 estimated completion date more than 1 year old, dating\n                 as far back as January 2008.\n               \xef\xbf\xbd DHS requires that a reasonable resources estimate of at\n                 least $50 be provided to mitigate the weakness\n                 identified. Resources required for the remediation of\n                 103 (2%) of 4,559 open POA&Ms were either not\n                 identified or did not meet the $50 requirement.\n               \xef\xbf\xbd 399 (9%) of 4,559 open POA&Ms are scheduled to take\n                 more than 2 years to mitigate the weaknesses. DHS\n                 and OMB require POA&Ms to be completed timely.\n\n      Secret POA&Ms\n\n               \xef\xbf\xbd 37 of 70 open POA&Ms are delayed. For example, 28\n                 (76%) of 37 delayed POA&Ms are more than 1 year\n                 past due.\n\n\nEvaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2011\n\n                             Page 11\n\x0c                \xef\xbf\xbd 38 (54%) of 70 open POA&Ms have not been updated\n                  within the past 90 days. DHS requires POA&Ms to be\n                  updated at least monthly.\n\n       See appendix H for the evaluation of DHS\xe2\x80\x99 POA&M Program.\n\nConfiguration Management\n\n       We reviewed 41 systems, including servers and databases to\n       evaluate the compliance with DHS baseline configuration\n       requirements. Additionally, we evaluated the compliance with\n       FDCC and USGCB requirements at CIS, FEMA, FLETC, ICE,\n       MGMT, NPPD, OIG, S&T, TSA, USCG and USSS. Results from\n       our testing indicated that components have not implemented all of\n       the required DHS baseline configuration settings. We reported a\n       similar issue in our FY 2009 and FY 2010 reports.\n\n       Additionally, we conducted testing across DHS\xe2\x80\x99 wide-area\n       network, known as OneNet, using Network Mapper to search for\n       vulnerable ports and services to test the Security Operations\n       Center\xe2\x80\x99s response to an unannounced network scan. We also\n       evaluated router configuration files on four gateway routers that\n       provide access to OneNet.\n\n       PROGRESS\n\n            Three components (FLETC, TSA, and USCG) are more than\n            90% compliant with FDCC configuration settings.\n\n            Components have established pilot programs to deploy\n            USGCB-compliant configuration settings on their Windows 7\n            workstations.\n\n       ISSUES TO BE ADDRESSED\n\n            Results from our configuration reviews indicated that\n            components had not fully configured their systems based on\n            DHS\xe2\x80\x99 secure baseline configuration guidelines. Components\n            included CBP, CIS, FEMA, ICE, MGMT, NPPD, S&T, TSA,\n            USCG, and USSS. Deficiencies identified include:\n\n                \xef\xbf\xbd Insecure Windows authentication protocols are in use.\n\n\n\n\n Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2011\n\n                              Page 12\n\x0c                                      \xef\x83\x98 Oracle databases were not consistently compliant with\n                                        DHS secure baseline configuration guides. For\n                                        example, our review of 8 databases revealed that 36 out\n                                        of 80 settings were non-compliant.\n                                      \xef\x83\x98 Linux password management is not in compliance with\n                                        DHS guidance.\n                                      \xef\x83\x98 Simple Network Management Protocol, a network\n                                        management tool, is in use despite being expressly\n                                        prohibited by DHS. We reported a similar issue in our\n                                        FY 2010 report.\n\n                                      Components have not fully implemented all FDCC settings.\n                                      For example, we identified six specific FDCC settings (five\n                                      Internet Explorer 7, one Microsoft Outlook) that were not\n                                      applied at the components. If these settings are not\n                                      implemented, DHS may be vulnerable to computer viruses\n                                      or social engineering attacks. Figure 2 summarizes the\n                                      Department\xe2\x80\x99s FDCC compliance.\n                                                                                      10\n                                      Figure 2: Component FDCC Compliance\n\n\n\n\n10\n     DHS Headquarters, NPPD and S&T are all managed by the same policy. As a result, these three\n     components will have identical co mpliance for FDCC and USGCB settings. CBP, ICE and USSS\n     currently have no plans to implement an FDCC-co mp liant image and are instead focusing efforts on\n     USGCB co mpliance.\n\n\n\n                      Evaluation of DHS \xe2\x80\x99 Information Security Program for Fiscal Year 2011\n\n\n                                                    Page 13\n\n\x0c           Although components are developing and implementing\n           USGCB-compliant Windows 7 images, no component is using\n           Windows 7 as the primary operating system for its\n           workstations. Further, none of the images that we evaluated\n           were 100% USGCB compliant.\n\n           Gateway routers for OneNet were not configured according to\n           all DHS policies. The following deficiencies were identified:\n\n               \xef\xbf\xbd The minimum password length requirement for the\n                 local user on two routers was configured to one\n                 character.\n               \xef\xbf\xbd A weak password encryption algorithm is being used\n                 for a local user on one router.\n               \xef\xbf\xbd DHS guidance requires that only one local user account\n                 be defined for disaster recovery when using an\n                 authentication server. Two of the routers were\n                 configured with two local user accounts. Having more\n                 than one disaster recovery account is unnecessary and\n                 creates additional avenues of attack.\n\n           During our NPPD audit, we identified several system\n           configuration and account access vulnerabilities that may lead\n           to risks associated with internal and external threats,\n           unauthorized access, and misuse of the Department\xe2\x80\x99s critical\n           infrastructure information.\n\n           We reported in July 2011 that TSA had not implemented DHS\n           baseline configuration controls on all of its wireless devices\n           and supporting infrastructure systems.\n\n      See appendix E for a summary of DHS\xe2\x80\x99 configuration\n      management.\n\n\n\n\nEvaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2011\n\n                             Page 14\n\x0c                 Incident Response and Reporting Program\n\n                          DHS has established adequate incident detection, handling, and\n                          analysis procedures. In addition, the number of all security\n                          incidents reported by the DHS Security Operations Center has\n                          increased by 13%, from 1,402 in FY 2010 to 1,589 to FY 2011.11\n                          For example, the number of malicious code attacks on DHS\n                          systems increased from 180 to 602 between 2008 and 2009.12\n                          However, DHS has not fully implemented its department-wide\n                          vulnerability assessment program to evaluate the security posture\n                          at all components.\n\n                          PROGRESS\n\n                              DHS continues to implement its vulnerability assessment\n                              program. For example, the DHS Security Operations Center\n                              has the ability to perform full credential scanning on\n                              workstations and servers at CBP, CIS, and FLETC.13\n\n                              The DHS Security Operations Center logged all traffic\n                              resulting from our unannounced scan on OneNet.\n\n                          ISSUES TO BE ADDRESSED\n\n                              DHS has not deployed its vulnerability assessment program\n                              department-wide. The program includes a comprehensive\n                              vulnerability alert, assessment, remediation, and reporting\n                              process to effectively identify computer security vulnerabilities\n                              and track mitigation efforts to resolution. However, the DHS\n                              Security Operations Center has no access at FEMA, ICE, OIG,\n                              S&T, USCG, and USSS. As a result, DHS cannot perform\n                              vulnerability assessments on all component workstations and\n                              servers to evaluate the effectiveness of controls implemented.\n\n                              During FY 2011, I&A, NPPD, Office of Operations\n                              Coordination and Planning, OIG, and USSS did not submit\n                              weekly incident reports to the DHS Security Operations\n                              Center, as required.\n\n11\n   We evaluated the number of incidents reported by the Security Operations Center between October 1st\n   and May 31st for both FY 2010 and FY 2011.\n12\n   State of Cybersecurity at DHS, December 15, 2010.\n13\n   Full credential scanning involves unrestricted access to component networks and enables the use of\n   software tools (i.e., Nessus, WebInspect) to perform comprehensive vulnerability scans.\n\n\n\n                   Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2011\n\n                                                 Page 15\n\x0c                                Although the DHS Security Operations Center logged all\n                                traffic resulting from our unannounced scan on OneNet, the\n                                scan was not immediately identified and terminated.\n\n                            See appendix F for information regarding DHS\xe2\x80\x99 Incident Response\n                            and Reporting Program.\n\n                   Security Training Program\n\n                            The CISO has established a process to validate components\xe2\x80\x99\n                            security training and has taken a more active role in developing the\n                            content for DHS training requirements. During FY 2011, DHS\n                            developed and implemented specialized training courses for those\n                            with significant IT security responsibilities. However, specific\n                            training content for system owners and authorizing officials has yet\n                            to be finalized.\n\n                            PROGRESS\n\n                                DHS has developed and implemented specialized training\n                                courses for information system security officers and system\n                                administrators in FY 2011. As of July 2011, DHS had\n                                conducted eight information system security officer and two\n                                system administrator training sessions.\n\n                            ISSUES TO BE ADDRESSED\n\n                                DHS has not yet finalized and implemented its specialized\n                                training courses for system owners and authorizing officials.\n\n                                DHS uses an enterprise management tool to identify and\n                                track the status of specialized training for all personnel with\n                                significant information security responsibilities, as described in\n                                NIST SP 800-50 and NIST SP 800-16.14 Four components\n                                (CIS, ISO, S&T, and USCG) are maintaining a completion\n                                percentage of 35% or below for all personnel with significant\n                                IT security responsibilities.\n\n\n\n\n14\n     NIST SP 800-50, Building an Information Technology Security Awareness and Training Program,\n     October 2003 and NIST SP 800-16, Information Technology Security Training Requirements: A Role -\n     and Performance-Based Model, April 1998.\n\n\n\n                     Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2011\n\n                                                  Page 16\n\x0c                              See appendix G for information regarding DHS\xe2\x80\x99 Security Training\n                              Program.\n\n                     Remote Access Program\n\n                              According to DHS policy, components are responsible for\n                              managing all remote access and dial-in connections to their\n                              systems through the use of two-factor authentication and audit\n                              logging capabilities to protect sensitive information throughout\n                              transmission. All components utilizing remote access have\n                              developed policies to outline the controls needed to protect remote\n                              connections (i.e., multi-factor authentication, firewalls) from\n                              external threats.\n\n                              See appendix I for DHS\xe2\x80\x99 Remote Access Program.\n\n                     Account and Identity Management Program\n\n                              DHS does not have a centralized capability to identify users and\n                              devices connected to its systems. Specifically, components are\n                              currently maintaining their own account and identity management\n                              programs. However, DHS plans to implement Homeland Security\n                              Presidential Directive 12 (HSPD-12) personal identification\n                              verification credentials enterprise-wide, which will be used to\n                              provide agency-wide system access management by the end of\n                              FY 2011.15\n\n                              PROGRESS\n\n                                  As of July 2011, DHS has issued more than 244,000 HSPD-12\n                                  compliant cards across the Department.\n\n                                  Five components (CIS, DHS Headquarters, FEMA, FLETC,\n                                  and TSA) have issued HSPD-12 compliant cards to all\n                                  employees and contractors.\n\n\n\n\n15\n     According to NIST FIPS 201-1, Personal Identity Verification (PIV) of Federal Employees and\n     Contractors, March 2006, a personal identity verification card is a form of standard identification\n     credentials issued by the Federal government to its employees and contractors. The personal identity\n     verification credentials are intended to authenticate individuals who require access to federally controlled\n     facilities, information systems, and applications.\n\n\n\n                       Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2011\n\n                                                      Page 17\n\x0c                         ISSUES TO BE ADDRESSED\n\n                              OMB granted DHS an exception from the requirement that\n                              agencies issue personal identity verification credentials to\n                              current employees and contractors and use the credentials for\n                              both physical and logical access by October 27, 2008.\n                              However, DHS is not scheduled to complete the issuance of\n                              HSPD-12 compliant cards to all its employees and contractors\n                              until September 30, 2011, three years after OMB\xe2\x80\x99s original due\n                              date.16\n\n                              In response to OMB\xe2\x80\x99s requirement that agencies upgrade\n                              existing physical and logical access control systems to use PIV\n                              credentials by the beginning of FY 2012, the DHS Identity,\n                              Credential and Access Management Program Management\n                              Office requested components to develop a credential\n                              implementation plan by July 31, 2011. 17 However, as of\n                              August 2011, four components (CBP, DHS Headquarters,\n                              FEMA, and USSS) have not submitted implementation plans.\n\n                         See appendix J for DHS\xe2\x80\x99 Account and Identity Management\n                         Program.\n\n                 Continuous Monitoring Program\n\n                         During FY 2011, DHS made significant changes to its\n                         enterprise-wide continuous monitoring program. For example, in\n                         FY 2010, the Department\xe2\x80\x99s continuous monitoring program\n                         focused on key control reviews, contingency testing, incident\n                         response reporting, and ongoing annual security control testing on\n                         its FISMA reportable information systems. However, beginning in\n                         FY 2011, DHS shifted its focus on continuous monitoring to the\n                         asset level, which includes the monitoring of system\n                         vulnerabilities, configuration settings, malware, patch information,\n                         hardware, and software installed on its systems. As of August\n                         2011, CISO has performed 60 critical control reviews on selected\n                         information systems to ensure that key controls have been\n\n\n\n16\n   Resource and Security Issues Hinder DHS\' Implementation of Homeland Security Presidential Directive\n   12 (OIG-10-40, January 2010).\n17\n   OMB Memorandum M-11-11, Continued Implementation of Homeland Security Presidential Directive\n   12\xe2\x80\x93 Policy for a Common Identification Standard for Federal Employees and Contractors, February 3,\n   2011.\n\n\n\n                   Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2011\n\n                                                Page 18\n\x0c                             implemented and to help components identify potential\n                             weaknesses or vulnerabilities.\n\n                             PROGRESS\n\n                                 DHS has developed policies and procedures to implement its\n                                 continuous monitoring functions and requirements. For\n                                 example, the CISO developed the DHS IT Security Continuous\n                                 Monitoring Strategy: An Enterprise View in January 2011.\n\n                                 As part of its effort to establish a robust, enterprise-wide\n                                 continuous monitoring program, DHS has revised its\n                                 information security scorecard to include asset reporting,\n                                 Security Operations Center effectiveness, and log integration.\n\n                             ISSUES TO BE ADDRESSED\n\n                                 Self-assessments have yet to be completed for 13 systems as\n                                 DHS has not identified the key controls.\n\n                                 DHS and its components have not established a real-time and\n                                 automated continuous monitoring capability to keep track of all\n                                 hardware and network devices, external connections, and\n                                 software associated with their information systems.\n\n                                 As of June 2011, three components (CIS, NPPD, and USSS)\n                                 have information security scores of 60% or below for the\n                                 Security Operations Center metric.18\n\n                                 Components have not provided authorizing officials with\n                                 up-to-date security documentation. For example, our review of\n                                 28 system security plans identified three instances where\n                                 documentation was out of date. Without current information,\n                                 authorizing officials cannot make a credible risk-based\n                                 decision on whether to authorize the system.\n\n                             See appendix K for DHS\xe2\x80\x99 Continuous Monitoring Program.\n\n\n\n18\n     Security Operations Center effectiveness is a key metric for the Department\xe2\x80\x99s continuous monitoring\n     program. Several factors are included in this metric, including 1) participation in daily headquarters\n     security operations center calls; 2) access to classified networks within 30 minutes; 3) development of\n     service-level agreements between components and Security Operations Center; 4) monthly incident\n     reviews; and 5) components\xe2\x80\x99 ability to provide 24x7x365 continuous monitoring and real-time response.\n\n\n\n                      Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2011\n\n\n                                                    Page 19\n\n\x0cContingency Planning Program\n\n       DHS has established and is maintaining an entity-wide business\n       continuity and contingency planning program. However,\n       components have not complied with all DHS\xe2\x80\x99 contingency\n       planning requirements.\n\n       PROGRESS\n\n            DHS has developed training, testing, and exercise approaches\n            for its business continuity and disaster recovery programs. For\n            example, DHS and its components participated in the federal\n            government continuity exercise in June 2011 to test activation\n            continuity plans, systems and procedures, and mission-essential\n            functions.\n\n            DHS has developed a business impact assessment that\n            incorporates the Department\xe2\x80\x99s mission essential functions and\n            primary mission essential functions.\n\n       ISSUES TO BE ADDRESSED\n\n            DHS has not updated the Department of Homeland Security\n            Headquarters Continuity of Operations Plan since 2008.\n            According to an official from the DHS Business Continuity\n            and Emergency Preparedness Branch, the continuity plan is\n            being revised.\n\n            As part of the Department\xe2\x80\x99s overall contingency planning and\n            disaster recovery efforts, DHS requires an IT contingency plan\n            be developed for all IT systems, detailing how the system will\n            be recovered in the event of an emergency or disaster. Our\n            review of 28 security authorization packages revealed that\n            contingency plans and/or testing reports for six systems are\n            missing certain elements, including the identification of\n            alternate processing facilities, or restoration procedures, and\n            data sensitivity handling procedures at the alternate site or\n            offsite storage. In addition, one contingency plan is out of\n            date.\n\n       See appendix L for DHS\xe2\x80\x99 Contingency Planning Program.\n\n\n\n\n Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2011\n\n\n                              Page 20\n\n\x0c                   Security Capital Planning Program\n\n                            DHS bases its CPIC process on OMB\xe2\x80\x99s Circular A-11,\n                            Part 7 - Planning, Budgeting, Acquisition, and Management of\n                            Capital Assets which defines the policies for planning, budgeting,\n                            acquiring, and managing federal capital assets.19 In addition, DHS\n                            developed the CPIC Guide in August 2010. The guide provides\n                            components with policies and procedures for selecting, monitoring,\n                            and evaluating the Department\xe2\x80\x99s IT and non-IT investments to\n                            ensure that each investment is successfully managed, cost\n                            effective, and supports DHS\xe2\x80\x99 mission and strategic goals. In\n                            addition, DHS has also implemented an Information Technology\n                            Acquisition Review process which requires that any proposed IT\n                            acquisition of $2.5 million and above be reviewed and approved by\n                            the DHS Chief Information Officer (CIO). Finally, DHS has\n                            developed an automated process to help ensure that the\n                            Department\xe2\x80\x99s IT and non-IT investments are successfully\n                            managed, cost effective, and support DHS\xe2\x80\x99 mission and strategic\n                            goals.\n\n                            PROGRESS\n\n                                 In January 2011, DHS issued the DHS Capital Planning &\n                                 Investment Control - OMB Exhibit 300/DHS Business Case\n                                 Guidebook to provide agency program and investment\n                                 managers with guidance and best practices for preparing the\n                                 OMB Exhibit 300/DHS Business Case.\n\n                                 DHS requires components to complete an Exhibit 300 for all\n                                 major IT investments, which includes estimated information\n                                 security costs. During FY 2011, the Department completed 94\n                                 Exhibit 300s for its major IT investments.\n\n                                 DHS has developed the FY 2012 Exhibit 53B which identifies\n                                 the Department\xe2\x80\x99s enterprise-wide information security costs for\n                                 its IT investments. For example, the FY 2012 Exhibit 53B\n                                 identifies the staffing costs for personnel with information\n                                 security responsibilities and costs associated with IT security\n                                 tools (i.e., anti-virus software, intrusion detection systems, and\n                                 web-filtering software), annual FISMA testing, network\n\n\n19\n     OMB\xe2\x80\x99s Circular A-11, Part 7 \xe2\x80\x93 Planning, Budgeting, Acquisition, and Management of Capital Assets,\n     June 2008.\n\n\n\n                      Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2011\n\n\n                                                   Page 21\n\n\x0c            penetration, security awareness training, and the authorization\n            of an information system.\n\nRecommendations\n       We recommend that the CISO:\n\n       Recommendation #1: Improve the ISO review process to ensure\n       that POA&Ms, including those for classified systems, are complete\n       and current.\n\n       Recommendation #2: Include all applicable controls in the\n       security documentation when authorizing systems. Systems\n       authorized with outdated documents or without all applicable\n       controls should not be accepted by the Department.\n\n       Recommendation #3: Improve the process to implement and\n       maintain DHS baseline configuration requirements on all systems.\n       The process should include testing and the use of automated tools\n       and security templates.\n\n       Recommendation #4: Evaluate and revise the Department\xe2\x80\x99s\n       current FDCC implementation strategy to ensure that the\n       requirements outlined in OMB M-07-11 and M-07-18 are\n       implemented expeditiously.\n\n       Recommendation #5: In accordance with applicable OMB and\n       NIST guidance, develop a strategy to implement an automated\n       continuous monitoring process for tracking the Department\xe2\x80\x99s\n       inventory, including hardware devices, external connections, and\n       software installed on DHS systems. In addition, the continuous\n       monitoring program should include performing periodic testing to\n       evaluate the security posture at all components.\n\n\nManagement Comments and OIG Analysis\n       Management Comments to Recommendation #1\n       DHS concurred with recommendation 1. The Information Security\n       Office\xe2\x80\x99s (ISO) POA&M process is being further improved to\n       ensure that all POA&Ms, including those POA&Ms for classified\n       systems, are complete and current. Improvements include the\n       implementation of the FY 2011 Information Security Performance\n\n\n\n Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2011\n\n\n                              Page 22\n\n\x0c      Plan automated POA&M quality review checks. These include\n      checking for the existence of POA&Ms for identified security\n      control weaknesses, timely updates and completion of POA&Ms,\n      and reasonableness of estimated remediation costs. Manual\n      reviews of POA&Ms are also being conducted to ensure they meet\n      the remaining criteria identified in the DHS 4300A Sensitive\n      Systems Handbook, POA&M Process Guide.\n\n      OIG Analysis\n      We agree that the steps that DHS is taking, and plans to take, begin\n      to satisfy this recommendation. This recommendation will remain\n      open until DHS provides supporting documentation that all\n      planned corrective actions are completed.\n\n      Management Comments to Recommendation #2\n      DHS concurred with recommendation 2. The security document\n      templates are generated with the applicable controls by the DHS\n      security authorization tool at the time the security authorization\n      process is initiated. Enhancements to the DHS compliance tool\n      scheduled for the end of FY 2011 will implement more stringent\n      controls that prevent the upload of outdated documents.\n      Additionally, the required security authorization documents are\n      reviewed by the ISO Document Review Team to ensure that all\n      applicable controls are included and adequately addressed.\n      Documents identified as outdated or which lack all applicable\n      controls by the Team are returned to the Component for corrective\n      action.\n\n      OIG Analysis\n      We agree that the steps that DHS is taking, and plans to take, begin\n      to satisfy this recommendation. This recommendation will remain\n      open until DHS provides supporting documentation that all\n      planned corrective actions are completed.\n\n      Management Comments to Recommendation #3\n      DHS concurred with recommendation 3. In FY 2011,\n      configuration management focused on establishing and\n      maintaining consistency of baseline configurations and inventories\n      of organizational information systems. The CISO\xe2\x80\x99s strategy for\n      achieving automated compliance reporting of baseline\n      configuration requirements was described in the \xe2\x80\x9cIT Security\n      Continuous Monitoring Strategy: An Enterprise View\xe2\x80\x9d and\n      implemented in FY2011 as part of the continuous monitoring High\n      Priority Initiative 11-14. Additionally, the DHS FY2011\n\n\nEvaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2011\n\n\n                             Page 23\n\n\x0c      Information Security Scorecard was revised to show Component\n      status towards meeting the DHS configuration requirements.\n      Periodic testing and use of automated tools and security templates\n      to evaluate the security posture at DHS are also being implemented\n      as part of the strategy.\n\n      OIG Analysis\n      We agree that the steps that DHS is taking, and plans to take, begin\n      to satisfy this recommendation. This recommendation will remain\n      open until DHS provides supporting documentation that all\n      planned corrective actions are completed.\n\n      Management Comments to Recommendation #4\n      DHS concurred with recommendation 4. DHS continues to make\n      progress in implementing the FDCC requirements outlined in\n      OMB M-07-11 and M-07-18. The Desktop Working Group tracks\n      and monitors component progress on FDCC implementation. The\n      expected completion date for implementing FDCC has been\n      revised to December 31, 2011, for all DHS components.\n\n      OIG Analysis\n      We agree that the steps that DHS is taking, and plans to take, begin\n      to satisfy this recommendation. This recommendation will remain\n      open until DHS provides supporting documentation that all\n      planned corrective actions are completed.\n\n      Management Comments to Recommendation #5\n      DHS concurred with recommendation 5. The CISO has developed\n      and issued \xe2\x80\x9cIT Security Continuous Monitoring Strategy: An\n      Enterprise View,\xe2\x80\x9d v1.0, to achieve an automated and real-time\n      monitoring process for the Department\xe2\x80\x99s inventory, including\n      hardware devices, external connections, and software installed on\n      its systems that complies with applicable OMB and NIST\n      guidance. The strategy also addresses the need to perform periodic\n      testing to evaluate the security posture at DHS.\n\n      OIG Analysis\n      We agree that the steps that DHS is taking, and plans to take, begin\n      to satisfy this recommendation. We consider this recommendation\n      resolved and closed.\n\n\n\n\nEvaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2011\n\n\n                             Page 24\n\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n                    The objective of this review was to determine whether DHS has\n                    developed adequate and effective information security policies,\n                    procedures, and practices, in compliance with FISMA. In addition,\n                    we evaluated DHS\xe2\x80\x99 progress in developing, managing, and\n                    implementing its information security program.\n\n                    Our independent evaluation focused on DHS\' information security\n                    program, the requirements outlined in FISMA and draft FY 2011\n                    reporting instructions dated June 2011. We conducted our\n                    fieldwork at the departmental level and at DHS\' organizational\n                    components and offices, including CBP, CIS, FEMA, FLETC,\n                    I&A, ICE, MGMT, NPPD, OIG, S&T, TSA, USCG, and USSS.\n\n                    In addition, we conducted reviews of DHS\xe2\x80\x99 information systems\n                    and security program-related areas throughout FY 2011. This\n                    report includes the results of a limited number of systems\n                    evaluated during the year and our on-going financial statement\n                    review, including our security audits at NPPD and TSA.\n\n                    As part of our evaluation of DHS\' compliance with FISMA, we\n                    assessed DHS and its components with the security requirements\n                    mandated by FISMA and other federal information security\n                    policies, procedures, standards, and guidelines. Specifically, we:\n                    (1) used last year\'s FISMA independent evaluation as a baseline\n                    for this year\'s evaluation; (2) reviewed policies, procedures, and\n                    practices that DHS has implemented at the program and\n                    component levels; (3) reviewed DHS\xe2\x80\x99 POA&M process to ensure\n                    that all security weaknesses are identified, tracked, and addressed;\n                    (4) reviewed the processes and status of DHS\xe2\x80\x99 department-wide\n                    information security program, including system security\n                    authorization, contingency planning, continuous monitoring,\n                    incident response, identity management, inventory, security\n                    training, system reviews, and remote access; and, (5) developed\n                    our independent evaluation of DHS\xe2\x80\x99 information security program.\n\n                    We reviewed the quality of security authorization packages for a\n                    sample of 28 systems at CBP, CIS, FEMA, FLETC, I&A, ICE,\n                    MGMT, NPPD, OIG, S&T, TSA, USCG, and USSS, to ensure that\n                    all of the required documents were completed prior to system\n                    authorization. In addition, we evaluated the implementation of\n                    DHS\xe2\x80\x99 baseline configurations and compliance with selected NIST\n                    SP 800-53 controls for 41 systems at CBP, CIS, FEMA, I&A, ICE,\n                    MGMT, NPPD, S&T, TSA, USCG, and USSS. FDCC and\n\n\n\n              Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2011\n\n\n                                           Page 25\n\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n                    USGCB settings for 16 systems were also reviewed at these 11\n                    components.\n\n                    We conducted our evaluation between April and August 2011\n                    under the authority of the Inspector General Act of 1978, as\n                    amended, and according to the Quality Standards for\n                    Inspections issued by the President\xe2\x80\x99s Council on Integrity and\n                    Efficiency. Major OIG contributors to the evaluation are\n                    identified in appendix O.\n\n                    The principal OIG point of contact for the evaluation is\n                    Frank W. Deffer, Assistant Inspector General, IT Audits at\n                    (202) 254-4041.\n\n\n\n\n              Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2011\n\n\n                                           Page 26\n\n\x0cAppendix B\nManagement Response to Draft Report\n\n\n\n                                                                              U.S. l)~pll r!l11 t n! or lIoRleiHnd Stcuri!)\'\n                                                                              Washington. DC 20528\n\n\n\n\n                                                                   i~)\' Homeland\n                                                                   ~g- Security\n                                        sa>   0 6 2811\n\n                  RANDUM FOR,           Frank Deffer\n                                        Assistant Inspector General\n                                        In formation Technology Audits\n\n          FROM,                         Robert West    ~ \\...\'--"-~\n                                        Chie f Information Security Officer\n\n         SUBJECT,                       Response to OIG Draft Report: Eva/uation ofDHS \' " yormation\n                                        Secllrity Program/or Fiscal Year 2011 - For Official Use Only\n                                        O IG Project No. II -039- IT A-MGMT\n\n         Thi s memorandum responds to the Office of Inspector General draft report titled , Evaluation of\n         DflS \' In/ormation Security Program/or Fiscal rear 2011 - For Official Use Only. dated\n         September I, 2011.\n\n         The Office of Chief Information Officer concurs with the five recommendations within the\n         report. The following actions are already underway to address these recommendations.\n\n          Recommendation # 1: Improve the ISO review process to ensure that POA&M s, including those\n          for classified systems, are complete and current.\n\n         DHS CISO concurs: The Information Security Office (ISO) plan of actions and mi lestones\n         (POA&M) process is being further improved to ensure that all POA&Ms, including those\n         POA&Ms for classified systems, are complete and current. Improvements include the\n         implementat ion of the FY 201 J In/ormation Security Performance Plan automated POA&M\n         quality review checks. These include checking for the ex istence of POA&Ms for identified\n         security control weaknesses, timely updates and completion of POA&Ms, and reasonableness of\n         estimated remediation costs. Manual reviews of POA&Ms are also being conducted to ensure\n         they meet the rcmaining criteria identified in the DHS 4300A Sellsilive Systems Handbook,\n         POA& ,V1 Process Guide.\n\n          Recommendation #2: Include all appl icable controls in the security documentation when\n          authorizing systems. Systems authorized with outdated documents or wi thout all applicable\n          controls should not be accepted by the department.\n\n          DHS C ISO concurs: The security document templates are generated with the applicable\n          controls by the DHS security authorization tool at the time the security authorization process is\n          initiated. Enhancements to the DHS compliance tool scheduled fo r the end o f FY 20 II will\n\n\n\n\n                 Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2011\n\n\n                                                       Page 27\n\n\x0cAppendix B\nManagement Response to Draft Report\n\n\n\n                     more stringent controls that prevent the upload of outdated documents. Add itionall y,\n         the required security authorization documents are reviewed by the ISO Document Review Team\n         to ensure that all applicable control s arc included and adequately addressed . Documents\n         identified as outdated or lack all applicable controls by the Team are returned to the Component\n         for corrective action.\n\n         Recommendation #3: Improve the process to implement and maintain DHS baseline\n         configuration requirements on all systems: The process should include testing and the use of\n         automated tools and security templates.\n\n         OHS elso concurs: In FY20 11 , configuration management focused on establi shing and\n         maintaining consistency of base line configurati ons and inventories of organizational information\n         systems. The CISO\' s strategy fo r achieving automated compliance reporting of base line\n         configuration requirements was described in the "IT Security CuntillllOlis Monitoring Strategy:\n         An Enterprise View " and implemented in FY20 11 as part of the continuous monitoring High\n         Priority Initiati ve 11- 14. Add itionall y, the DI-IS FY2011information Security Scorecard W,IS\n         revised to show Component stat LI S towards meeting the DHS confi guration requirements.\n         Periodic testing and lise of automated tools and security templates to evaluate the security\n         post ure at DHS are also being implemented as part of the strategy.\n\n         Recommendation #4: Evaluate and revise the department \'s current FDCC implementation\n         strategy to ensure that the requirements outlined in OMB M-07- ll and M-07-1B are\n         implemented expeditiollsly.\n\n         OHS elso concurs: DI-I S continues to make progress in implementing the FDCC requirements\n         out lined in OMB M-07-11 and M-07- IS. The Desktop Working Group tracks and monitors\n         component progress on Federal Desktop Core Configuration (FDCC) implementation. The\n         expected completion date for implementing FDCC has been revised to December 3 1, 20 II , for\n         all DH S components.\n\n         Recommcndalion #5: In accordance with applicable OMB and NIST guidance, develop a\n         strategy to implement an automated continuous monitoring process for tracking the department \'s\n         inventory, including hardware devices, extemal connections, and so ftware installed on DH S\n         systems. In addition, the continuous monitoring program should include performing periodic\n         testing to evaluate the security posture at all components.\n\n         OHS elso concurs: The e lSO has developed and issued " IT Security Continuous Monituring\n         Strategy: An Enterprise View ", v 1.0, to achieve an automated and real-time monitoring process\n         fo r the department \' s inventory, including hardware devices, extemal connections, and so ftware\n         installed on its systems that complies with appl icable OMB and NIST guidance. The strategy\n         also addresses the need to perform periodic testing to evaluate the security posture at DHS.\n\n         Should you have any questions, please call me at (202) 357-6 110, or your staff may contact\n         Emery Csulak, Director of Compliance and Technology at (202) 357-6 11 3.\n\n         cc: Chief Information Officer\n             Component CIOs\n             Component CISOs\n\n\n\n\n                Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2011\n\n\n                                                     Page 28\n\n\x0cAppendix C\nSystem Inventory\n\n                                                               Section 1: DHS System Inventory as of June 2011\n                               a.                   b.                     c.                   d.                       e.                      f.\n                         Agency Systems     Contractor Systems     Total Number of     Number of systems      Number of systems         Number of systems\n                                                                       Systems          receiving authority     for which security           for which\n                                                                     (Agency and            to operate         controls have been       contingency plans\n                                                                 Contractor systems)                          tested and reviewed       have been tested in\n                                                                     (Column A +                                 in the past year        accordance with\n                                                                      Column B)                                                                policy\n\n\n\n\n           FIPS 199                                                               Total\n                                  Number               Number                                            Number               Number               Number\n Bureau     System                                                   Total       Number\n                        Number   Reviewed   Number    Reviewed                              Number      Reviewed    Number   Reviewed   Number    Reviewed\n Name       Impact                                                  Number      Reviewed\n                                  by OIG               by OIG                                            by OIG               by OIG               by OIG\n             Level                                                               by OIG\n   CBP       High         15        3         0            0          15            3          15           3         13        3         13          2\n           Moderate       48        2         1            0          49            2          46           2         42        2         42          2\n              Low          1        0         2            0           3            0           2           0          2        0          1          0\n              Not\n                          1         0         0            0           1              0         0           0         0         0         0           0\n          Categorized\n           Sub-total      65        5         3            0          68              5        63           5         57        5         56          4\n   CIS       High          4        1         5            1           9              2         9           2          9        2          3          2\n           Moderate       19        1         16           2          35              3        23           2         26        3         24          3\n             Low          1         0         3            1           4              1         4           1         4         1         4           0\n              Not\n                          2         0         0            0           2              0         0           0         0         0         0           0\n          Categorized\n           Sub-total      26        2         24           4          50              6        36           5         39        6         31          5\n  DHSHQ      High          8        1         8            0          16              1        14           1         6         1         13          1\n           Moderate       11        0         9            1          20              1        19           1         8         1         13          1\n             Low           0        0         3            0           3              0         3           0         1         0          3          0\n              Not\n                          3         0         3            0           6              0         5           0         3         0         1           0\n          Categorized\n           Sub-Total      22        1         23           1          45              2        41           2         18        2         30          2\n  FEMA       High         19        2          3           0          22              2        17           1         18        2         10          2\n           Moderate       32        3         14           0          46              3        44           3         41        3         33          3\n             Low           4        0          1           0           5              0         4           0          3        0          3          0\n\n\n\n\n                                            Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2011\n\n\n                                                                           Page 29\n\n\x0cAppendix C\nSystem Inventory\n\n              Not\n                        10   0     0            0          10              0         5           0       6    0   2    0\n          Categorized\n           Sub-total    65   5     18           0          83              5        70           4       68   5   48   5\n  FLETC      High        0   0      0           0           0              0         0           0        0   0    0   0\n           Moderate     13   4      1           0          14              4        13           4       11   4   14   3\n             Low         0   0      0           0           0              0         0           0        0   0    0   0\n              Not\n                        0    0     0            0           0              0         0           0       0    0   0    0\n          Categorized\n           Sub-total    13   4      1           0          14              4        13           4       11   4   14   3\n   ICE       High       12   1      1           0          13              1        11           1        9   1    8   0\n           Moderate     31   3     15           0          46              3        41           3       31   3   33   1\n             Low         3   0      0           0           3              0         3           0        2   0    3   0\n              Not\n                        1    0     1            0           2              0         1           0       0    0   0    0\n          Categorized\n           Sub-total    47   4     17           0          64              4        56           4       42   4   44   1\n  NPPD       High        4   1      8           2          12              3         7           3        9   3    9   3\n           Moderate     5    0     21           1          26              1        26           1       24   1   22   1\n             Low         1   0      6           0           7              0         3           0        5   0    5   0\n              Not\n                        1    0     0            0           1              0         1           0       0    0   1    0\n          Categorized\n           Sub-total    11   1     35           3          46              4        37           4       38   4   37   4\n   OIG       High        2   1      0           0           2              1         2           1        1   1    1   1\n           Moderate     0    0      0           0           0              0         0           0        0   0    0   0\n             Low         0   0      0           0           0              0         0           0        0   0    0   0\n              Not\n                        1    0     0            0           1              0         1           0       0    0   0    0\n          Categorized\n           Sub-total    3    1      0           0           3              1         3           1        1   1    1   1\n   S&T       High       1    0      0           0           1              0         1           0        1   0    1   0\n           Moderate     6    0     13           1          19              1        19           1       15   1   18   1\n             Low        2    0      2           0           4              0         3           0        3   0    4   0\n              Not\n                        2    0     0            0           2              0         1           0       2    0   2    0\n          Categorized\n           Sub-total    11   0     15           1          26              1        24           1       21   1   25   1\n   TSA       High       20   3      3           0          23              3        23           3       23   3   23   3\n           Moderate     28   2     16           0          44              2        44           2       44   2   44   2\n             Low         6   0      2           0           8              0         8           0        8   0    8   0\n\n\n\n                                 Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2011\n\n\n                                                                Page 30\n\n\x0cAppendix C\nSystem Inventory\n\n               Not\n                          4    0      0            0           4               0        4           0        3    0     1    0\n           Categorized\n            Sub-total    58    5      21           0          79               5       79           5       78    5    76    5\n  USCG        High        5    1       5           0          10               1       10           1        5    1    10    1\n            Moderate     55    4      20           3          75               7       65           7       39    6    62    5\n              Low        13    0       2           0          15               0        9           0        6    0    13    0\n               Not\n                         36    0      0            0          36               0       36           0       19    0    2     0\n           Categorized\n            Sub-total    109   5      27           3          136              8      120           8       69    7    87    6\n  USSS        High        4    2       0           0           4               2       3            2        3    2     2    2\n            Moderate      6    0       0           0           6               0       6            0        6    0     3    0\n              Low         1    0       0           0           1               0       1            0        1    0     0    0\n               Not\n                          0    0      0            0           0               0        0           0        0    0     0    0\n           Categorized\n            Sub-total    11    2      0            0          11               2       10           2       10    2     5    2\n  Agency\n              High       94    16     33           3          127              19     112          18       97    19   93    17\n  Totals\n            Moderate     254   19    126           8          380              27     346          26       287   26   308   22\n              Low        32     0    21            1          53                1     40            1        35    1   44     0\n               Not\n                         61    0      4            0          65               0       54           0       33    0    9     0\n           Categorized\n              Total      441   35    184          12          625              47     552          45       452   46   454   39\n\n\n\n\n                                    Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2011\n\n\n                                                                    Page 31\n\n\x0c Appendix D\n Status of Risk Management Program\n\n                             Section 2: Status of Risk Management Program\n                                                                                                       Response:\n1. Check one:\n A. The Agency has established and is maintaining a risk management program that is consistent\n    with FISMA requirements, OMB policy, and applicable NIST guidelines. Although\n    improvement opportunities may have been identified by the OIG, the program includes the\n    following attributes:\n    1. Documented and centrally accessible policies and procedures for risk management,\n         including descriptions of the roles and responsibilities of participants in this process.\n    2. Addresses risk from an organizational perspective with the development of a comprehensive\n         governance structure and organization-wide risk management strategy as described in NIST\n         800-37, Rev. 1.\n    3. Addresses risk from a mission and business process perspective and is guided by the risk\n         decisions at the organizational perspective, as described in NIST 800-37, Rev.1.\n    4. Addresses risk from an information system perspective and is guided by the risk decisions at\n         the organizational perspective and the mission and business perspective, as described in\n         NIST 800-37, Rev. 1.\n    5. Categorizes information systems in accordance with government policies.\n    6. Selects an appropriately tailored set of baseline security controls.\n    7. Implements the tailored set of baseline security controls and describes how the controls are\n         employed within the information system and its environment of operation.\n    8. Assesses the security controls using appropriate assessment procedures to determine the\n         extent to which the controls are implemented correctly, operating as intended, and\n         producing the desired outcome with respect to meeting the security requirements for the          \xef\xbf\xbd\n         system.\n    9. Authorizes information system operation based on a determination of the risk to\n         organizational operations and assets, individuals, other organizations, and the Nation\n         resulting from the operation of the information system and the decision that this risk is\n         acceptable.\n    10. Ensures information security controls are monitored on an ongoing basis including assessing\n         control effectiveness, documenting changes to the system or its environment of operation,\n         conducting security impact analyses of the associated changes, and reporting the security\n         state of the system to designated organizational officials.\n    11. Information system specific risks (tactical), mission/business specific risks and\n         organizational level (strategic) risks are communicated to appropriate levels of the\n         organization.\n    12. Senior Officials are briefed on threat activity on a regular basis by appropriate personnel.\n         (e.g., CISO).\n    13. Prescribes the active involvement of information system owners and common control\n         providers, chief information officers, senior information security officers, authorizing\n         officials, and other roles as applicable in the ongoing management of information system-\n         related security risks.\n    14. Security authorization package contains system security plan, security assessment report,\n         and POA&M in accordance with government policies.\n    B. The Agency has established and is maintaining a risk management program. However, the\n         Agency needs to make significant improvements as noted below.\n    C. The Agency has not established a risk management program.\n\n\n\n\n                        Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2011\n\n\n                                                     Page 32\n\n\x0c Appendix D\n Status of Risk Management Program\n\n2. If B. is checked above, check areas that need significant improvement:\n      a. Risk Management policy is not fully developed.\n      b. Risk Management procedures are not fully developed, sufficiently detailed (SP 800-37,\n          SP 800-39, SP 800-53).\n      c. Risk Management procedures are not consistently implemented in accordance with\n          government policies (SP 800-37, SP 800-39, SP 800-53).\n      d. A comprehensive governance structure and Agency-wide risk management strategy has not\n          been fully developed in accordance with government policies (SP 800-37, SP 800-39, SP\n          800-53).\n      e. Risks from a mission and business process perspective are not addressed (SP 800-37,\n          SP 800-39, SP 800-53).\n      f. Information systems are not properly categorized (FIPS 199/SP 800-60).\n      g. Appropriately tailored baseline security controls are not applied to information systems in\n          accordance with government policies (FIPS 200/SP 800-53).\n      h. Risk assessments are not conducted in accordance with government policies (SP 800-30).\n      i. Security control baselines are not appropriately tailored to individual information systems\n          in accordance with government policies (SP 800-53).\n      j. The communication of information system specific risks, mission/business specific risks and\n          organizational level (strategic) risks to appropriate levels of the organization is not in\n          accordance with government policies.\n      k. The process to assess security control effectiveness is not in accordance with government\n          policies (SP800-53A).\n      l. The process to determine risk to agency operations, agency assets, or individuals, or to\n          authorize information systems to operate is not in accordance with government policies\n          (SP 800-37).\n      m. The process to continuously monitor changes to information systems that may necessitate\n          reassessment of control effectiveness is not in accordance with government policies\n          (SP 800-37).\n      n. Security plan is not in accordance with government policies (SP 800-18, SP 800-37).\n      o. Security assessment report is not in accordance with government policies (SP 800-53A,\n          SP 800-37).\n      p. Accreditation boundaries for agency information systems are not defined in accordance with\n          government policies.\n      q. Other\n      r. Explanation for Other\n\n\n                       DHS bases its risk management program on NIST SP 800-37, Revision 1, Guide for Applying\n                      the Risk Management Framework to Federal Information Systems: A Security Life Cycle\n                      Approach and incorporated the security authorization process into the DHS Sensitive Systems\n                      Policy Directive 4300A for its unclassified systems. For national security systems, components\n3. Comments:\n                      follow the Defense Information Assurance Certification and Accreditation Process and DHS\n                      Sensitive Systems Policy Directive 4300B policy.\n                       Based on our review of 28 operational systems, we determined that the artifacts required to\n                      authorize a system were either missing, incomplete, or outdated.\n\n\n\n\n                        Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2011\n\n\n                                                     Page 33\n\n\x0c Appendix E\n Status of Configuration Management Program\n\n                        Section 3: Status of Configuration Management Program\n                                                                                                       Response:\n4. Check one:\n A. The Agency has established and is maintaining a security configuration management program\n    that is consistent with FISMA requirements, OMB policy, and applicable NIST guidelines.\n    Although improvement opportunities may have been identified by the OIG, the program\n    includes the following attributes:\n    1. Documented policies and procedures for configuration management.\n    2. Standard baseline configurations defined.\n    3. Assessing for compliance with baseline configurations.\n    4. Process for timely, as specified in agency policy or standards, remediation of scan result\n        deviations.\n    5. For Windows-based components, FDCC/USGCB secure configuration settings fully\n        implemented and any deviations from FDCC/USGCB baseline settings fully documented.\n    6. Documented proposed or actual changes to hardware and software configurations.\n    7. Process for timely and secure installation of software patches.\n B. The Agency has established and is maintaining a security configuration management program.\n    However, the Agency needs to make significant improvements as noted below.                            \xef\xbf\xbd\n C. The Agency has not established a security configuration management program.\n\n\n5. If B. is checked above, check areas that need significant improvement:\n      a. Configuration management policy is not fully developed (NIST 800-53: CM-1).\n      b. Configuration management procedures are not fully developed (NIST 800-53: CM-1).\n      c. Configuration management procedures are not consistently implemented (NIST 800-53:\n          CM-1).\n      d. Standard baseline configurations are not identified for software components (NIST 800-53:\n          CM-2).\n      e. Standard baseline configurations are not identified for all hardware components\n          (NIST 800-53: CM-2).\n      f. Standard baseline configurations are not fully implemented (NIST 800-53: CM-2).\n      g. FDCC/USGCB is not fully implemented (OMB) and/or all deviations are not fully\n                                                                                                         f, g\n          documented (NIST 800-53: CM-6).\n      h. Software assessing (scanning) capabilities are not fully implemented (NIST 800-53: RA-5,\n          SI-2).\n      i. Configuration-related vulnerabilities, including scan findings, have not been remediated in\n          a timely manner, as specified in agency policy or standards. (NIST 800-53: CM-4, CM-6,\n          RA-5, SI-2).\n      j. Patch management process is not fully developed, as specified in agency policy or\n          standards. (NIST 800-53: CM-3, SI-2).\n      k. Other\n      l. Explanation for Other\n\n\n\n\n                         Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2011\n\n\n                                                      Page 34\n\n\x0c Appendix E\n Status of Configuration Management Program\n\n                                                                                                     - Oracle\n\n                                                                                                     - Security\n                                                                                                     Enhanced\n                                                                                                     Linux/Linux\n\n                                                                                                     -Solaris\n\n6. Identify baselines reviewed:                                                                      - Windows\n    a. Software Name                                                                                 Server 2003\n    b. Software Version\n                                                                                                     - Window\n                                                                                                     Server 2008\n\n                                                                                                     - Cisco\n\n                                                                                                     - Windows\n                                                                                                     XP\n\n\n\n                       Based on our review of 41 systems, we determined that DHS components had not fully\n                       configured their systems based on DHS\xe2\x80\x99 secure baseline configuration guidelines.\n                       We determined that no component has fully implemented FDCC settings across its enterprise.\n7. Comments:\n                       Although components are developing and implementing USGCB compliant Windows 7 images,\n                       no component is using Windows 7 as the primary operating system for its workstations.\n                       OneNet gateway routers were not configured according to all DHS policies.\n\n\n\n\n                         Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2011\n\n\n                                                      Page 35\n\n\x0c Appendix F\n Status of Incident Response and Reporting Program\n\n\n\n                     Section 4: Status of Incident Response & Reporting Program\n                                                                                                       Response:\n8. Check one:\n A. The Agency has established and is maintaining an incident response and reporting program that\n    is consistent with FISMA requirements, OMB policy, and applicable NIST guidelines. Although\n    improvement opportunities may have been identified by the OIG, the program includes the\n    following attributes:\n    1. Documented policies and procedures for detecting, responding to and reporting incidents.\n    2. Comprehensive analysis, validation and documentation of incidents.                                 \xef\xbf\xbd\n    3. When applicable, reports to US-CERT within established timeframes.\n    4. When applicable, reports to law enforcement within established timeframes.\n    5. Responds to and resolves incidents in a timely manner, as specified in agency policy or\n         standards, to minimize further damage.\n    6. Is capable of tracking and managing risks in a virtual/cloud environment, if applicable.\n    7. Is capable of correlating incidents.\n B. The Agency has established and is maintaining an incident response and reporting program.\n    However, the Agency needs to make significant improvements as noted below.\n C. The Agency has not established an incident response and reporting program.\n\n9. If B. is checked above, check areas that need significant improvement:\n     a. Incident response and reporting policy is not fully developed (NIST 800-53: IR-1).\n     b. Incident response and reporting procedures are not fully developed or sufficiently detailed\n          (NIST 800-53: IR-1).\n     c. Incident response and reporting procedures are not consistently implemented in accordance\n          with government policies (NIST 800-61, Rev1).\n     d. Incidents were not identified in a timely manner, as specified in agency policy or standards\n          (NIST 800-53, 800-61, and OMB M-07-16, M-06-19).\n     e. Incidents were not reported to US-CERT as required (NIST 800-53, 800-61, and OMB\n          M-07-16, M-06-19).\n     f. Incidents were not reported to law enforcement as required (SP 800-86).\n     g. Incidents were not resolved in a timely manner (NIST 800-53, 800-61, and OMB M-07-16,\n          M-06-19).\n     h. Incidents were not resolved to minimize further damage (NIST 800-53, 800-61, and OMB\n          M-07-16, M-06-19).\n     i. There is insufficient incident monitoring and detection coverage in accordance with\n          government policies (NIST 800-53, 800-61, and OMB M-07-16, M-06-19).\n     j. The agency cannot or is not prepared to track and manage incidents in a virtual/cloud\n          environment.\n     k. The agency does not have the technical capability to correlate incident events.\n     l. Other\n     m. Explanation for Other\n\n\n\n\n                         Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2011\n\n\n                                                      Page 36\n\n\x0c Appendix F\n Status of Incident Response and Reporting Program\n\n\n\n\n10. Comments:\n\n\n\n\n                   Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2011\n\n\n                                                Page 37\n\n\x0cAppendix G\nStatus of Security Training Program\n\n                             Section 5: Status of Security Training Program\n                                                                                                       Response:\n11. Check one:\n A. The Agency has established and is maintaining a security training program that is consistent\n     with FISMA requirements, OMB policy, and applicable NIST guidelines. Although\n     improvement opportunities may have been identified by the OIG, the program includes the\n     following attributes:\n     1. Documented policies and procedures for security awareness training.\n     2. Documented policies and procedures for specialized training for users with significant\n          information security responsibilities.                                                          \xef\xbf\xbd\n     3. Security training content based on the organization and roles, as specified in agency policy\n          or standards.\n     4. Identification and tracking of the status of security awareness training for all personnel\n          (including employees, contractors, and other agency users) with access privileges that\n          require security awareness training.\n     5. Identification and tracking of the status of specialized training for all personnel\n          (including employees, contractors, and other agency users) with significant information\n          security responsibilities that require specialized training.\n B. The Agency has established and is maintaining a security training program. However, the\n     Agency needs to make significant improvements as noted below.\n\n C. The Agency has not established a security training program.\n\n\n\n\n                       Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2011\n\n\n                                                    Page 38\n\n\x0cAppendix G\nStatus of Security Training Program\n\n12. If B. is checked above, check areas that need significant improvement:\n    a. Security awareness training policy is not fully developed (NIST 800-53: AT-1).\n    b. Security awareness training procedures are not fully developed and sufficiently detailed\n         (NIST 800-53: AT-1).\n    c. Security awareness training procedures are not consistently implemented in accordance\n         with government policies (NIST 800-53: AT-2).\n    d. Specialized security training policy is not fully developed (NIST 800-53: AT-3).\n    e. Specialized security training procedures are not fully developed or sufficiently detailed in\n         accordance with government policies (SP 800-50, SP 800-53).\n    f. Training material for security awareness training does not contain appropriate content\n         for the Agency (SP 800-50, SP 800-53).\n    g. Identification and tracking of the status of security awareness training for personnel\n         (including employees, contractors, and other agency users) with access privileges that\n         require security awareness training is not adequate in accordance with government\n         policies (SP 800-50, SP 800-53).\n    h. Identification and tracking of the status of specialized training for personnel (including\n         employees, contractors, and other agency users) with significant information security\n         responsibilities is not adequate in accordance with government policies (SP 800-50,\n         SP 800-53).\n    i. Training content for individuals with significant information security responsibilities is\n         not adequate in accordance with government policies (SP 800-53, SP 800-16).\n    j. Less than 90% of personnel (including employees, contractors, and other agency users)\n         with access privileges completed security awareness training in the past year.\n    k. Less than 90% of employees, contractors, and other users with significant security\n         responsibilities completed specialized security awareness training in the past year.\n    l. Other\n    m. Explanation for Other\n\n                         DHS has documented policies and procedures for maintaining a security training program.\n                         DHS has established a process to validate components\xe2\x80\x99 security training and has an active\n                         role in developing the content for DHS training requirements.\n                         DHS has developed and implemented specialized training courses for those with significant\n13. Comments:            IT security responsibilities, including information system security officers and system\n                         administrators.\n                         Specific training content for system owners and authorizing officials has yet to be finalized.\n                         DHS utilizes an enterprise management tool to identify and track the status of specialized\n                         training for all personnel with significant information security responsibilities.\n\n\n\n\n                       Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2011\n\n\n                                                     Page 39\n\n\x0cAppendix H\nStatus of Plans of Actions and Milestones Program\n\n               Section 6: Status of Plans of Actions & Milestones (POA&M) Program\n                                                                                                      Response:\n14. Check one:\n A. The Agency has established and is maintaining a POA&M program that is consistent with\n     FISMA requirements, OMB policy, and applicable NIST guidelines and tracks and monitors\n     known information security weaknesses. Although improvement opportunities may have been\n     identified by the OIG, the program includes the following attributes:\n     1. Documented policies and procedures for managing IT security weaknesses discovered\n         during security control assessments and requiring remediation.\n                                                                                                         \xef\xbf\xbd\n     2. Tracks, prioritizes and remediates weaknesses.\n     3. Ensures remediation plans are effective for correcting weaknesses.\n     4. Establishes and adheres to milestone remediation dates.\n     5. Ensures resources are provided for correcting weaknesses.\n     6. Program officials and contractors report progress on remediation to CIO on a regular basis,\n         at least quarterly, and the CIO centrally tracks, maintains, and independently\n         reviews/validates the POA&M activities at least quarterly.\n B. The Agency has established and is maintaining a POA&M program that tracks and remediates\n     known information security weaknesses. However, the Agency needs to make significant\n     improvements as noted below.\n C. The Agency has not established a POA&M program.\n\n\n\n\n                       Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2011\n\n\n                                                    Page 40\n\n\x0cAppendix H\nStatus of Plans of Actions and Milestones Program\n\n15. If B. is checked above, check areas that need significant improvement:\n    a. POA&M policy is not fully developed.\n    b. POA&M procedures are not fully developed and sufficiently detailed.\n    c. POA&M procedures are not consistently implemented in accordance with government\n         policies.\n    d. POA&Ms do not include security weaknesses requiring remediation, discovered during\n         assessments of security controls. (OMB M-04-25).\n    e. Remediation actions do not sufficiently address weaknesses in accordance with government\n         policies (NIST SP 800-53, Rev. 3, Sect. 3.4 Monitoring Security Controls).\n    f. Source of security weaknesses are not tracked (OMB M-04-25).\n    g. Security weaknesses are not appropriately prioritized (OMB M-04-25).\n    h. Milestone dates are not adhered to. (OMB M-04-25).\n    i. Initial target remediation dates are frequently missed (OMB M-04-25).\n    j. POA&Ms are not updated in a timely manner (NIST SP 800-53, Rev. 3, Control CA-5, and\n         OMB M-04-25).\n    k. Costs associated with remediating weaknesses are not identified (NIST SP 800-53, Rev. 3,\n         Control PM-3 and OMB M-04-25).\n    l. Agency CIO does not track and review POA&Ms (NIST SP 800-53, Rev. 3, Control CA-5,\n         and OMB M-04-25).\n    m. Other\n    n. Explanation for Other\n\n                      DHS requires components to create and manage POA&Ms for all known IT security\n                      weaknesses.\n                      DHS has developed policies and procedures for managing IT security weaknesses discovered\n                      during security control assessments and requiring remediation.\n                      As of June 30, 2011, DHS has 4,559 open POA&Ms. However, components are not entering\n16. Comments:         and tracking all IT security weaknesses in DHS\xe2\x80\x99 unclassified and classified enterprise\n                      management tools, nor are all of the data entered by the components accurate and updated in a\n                      timely manner.\n                      DHS creates quarterly POA&M progress reports, tracking weakness remediation and\n                      maintenance.\n\n\n\n\n                      Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2011\n\n\n                                                    Page 41\n\n\x0c Appendix I\n Status of Remote Access Program\n\n                               Section 7: Status of Remote Access Program\n                                                                                                       Response:\n17. Check one:\n A. The Agency has established and is maintaining a remote access program that is consistent with\n    FISMA requirements, OMB policy, and applicable NIST guidelines. Although improvement\n    opportunities may have been identified by the OIG, the program includes the following\n    attributes:\n    1. Documented policies and procedures for authorizing, monitoring, and controlling all\n        methods of remote access.\n    2. Protects against unauthorized connections or subversion of authorized connections.                 \xef\xbf\xbd\n    3. Users are uniquely identified and authenticated for all access.\n    4. If applicable, multi-factor authentication is required for remote access.\n    5. Authentication mechanisms meet NIST Special Publication 800-63 guidance on remote\n        electronic authentication, including strength mechanisms.\n    6. Defines and implements encryption requirements for information transmitted across public\n        networks.\n    7. Remote access sessions, in accordance with OMB M-07-16, are timed-out after 30 minutes of\n        inactivity after which re-authentication is required.\n B. The Agency has established and is maintaining a remote access program. However, the Agency\n    needs to make significant improvements as noted below.\n C. The Agency has not established a program for providing secure remote access.\n\n18. If B. is checked above, check areas that need significant improvement:\n    a. Remote access policy is not fully developed (NIST 800-53: AC-1, AC-17).\n    b. Remote access procedures are not fully developed and sufficiently detailed (NIST 800-53:\n        AC-1, AC-17).\n    c. Remote access procedures are not consistently implemented in accordance with government\n        policies (NIST 800-53: AC-1, AC-17).\n    d. Telecommuting policy is not fully developed (NIST 800-46, Section 5.1).\n    e. Telecommuting procedures are not fully developed or sufficiently detailed in accordance\n        with government policies (NIST 800-46, Section 5.4).\n    f. Agency cannot identify all users who require remote access (NIST 800-46, Section 4.2,\n        Section 5.1).\n    g. Multi-factor authentication is not properly deployed (NIST 800-46, Section 2.2, Section 3.3).\n    h. Agency has not identified all remote devices (NIST 800-46, Section 2.1).\n    i. Agency has not determined all remote devices and/or end user computers have been\n        properly secured (NIST 800-46, Section 3.1 and 4.2).\n    j. Agency does not adequately monitor remote devices when connected to the agency\'s\n        networks remotely in accordance with government policies (NIST 800-46, Section 3.2).\n    k. Lost or stolen devices are not disabled and appropriately reported (NIST 800-46, Section\n        4.3, US-CERT Incident Reporting Guidelines).\n    l. Remote access rules of behavior are not adequate in accordance with government policies\n        (NIST 800-53, PL-4).\n    m. Remote access user agreements are not adequate in accordance with government policies\n        (NIST 800-46, Section 5.1, NIST 800-53, PS-6).\n    n. Other\n    o. Explanation for Other\n\n\n\n\n                         Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2011\n\n\n                                                      Page 42\n\n\x0c Appendix I\n Status of Remote Access Program\n\n\n\n\n19. Comments:\n\n\n\n\n                  Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2011\n\n\n                                               Page 43\n\n\x0c Appendix J\n Status of Account and Identity Management Program\n\n                   Section 8: Status of Account and Identity Management Program\n                                                                                                        Response:\n20. Check one:\n A. The Agency has established and is maintaining an identity and access management program\n    that is consistent with FISMA requirements, OMB policy, and applicable NIST guidelines and\n    identifies users and network devices. Although improvement opportunities may have been\n    identified by the OIG, the program includes the following attributes:\n    1. Documented policies and procedures for account and identity management.\n    2. Identifies all users, including federal employees, contractors, and others who access Agency\n         systems.\n    3. Identifies when special access requirements (e.g., multi-factor authentication) are necessary.      \xef\xbf\xbd\n    4. If multi-factor authentication is in use, it is linked to the Agency\'s PIV program where\n         appropriate.\n    5. Ensures that the users are granted access based on needs and separation of duties\n         principles.\n    6. Identifies devices that are attached to the network and distinguishes these devices from\n         users.\n    7. Ensures that accounts are terminated or deactivated once access is no longer required.\n    8. Identifies and controls use of shared accounts.\n B. The Agency has established and is maintaining an identity and access management program\n    that identifies users and network devices. However, the Agency needs to make significant\n    improvements as noted below.\n C. The Agency has not established an identity and access management program.\n\n\n\n\n                         Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2011\n\n\n                                                      Page 44\n\n\x0c Appendix J\n Status of Account and Identity Management Program\n\n21. If B. is checked above, check areas that need significant improvement:\n    a. Account management policy is not fully developed (NIST 800-53: AC-1).\n    b. Account management procedures are not fully developed and sufficiently detailed (NIST\n         800-53: AC-1).\n    c. Account management procedures are not consistently implemented in accordance with\n         government policies (NIST 800-53: AC-2).\n    d. Agency cannot identify all User and Non-User Accounts (NIST 800-53, AC-2).\n    e. Accounts are not properly issued to new users (NIST 800-53, AC-2).\n    f. Accounts are not properly terminated when users no longer require access (NIST 800-53,\n         AC-2).\n    g. Agency does not use multi-factor authentication where required (NIST 800-53, IA-2).\n    h. Agency has not adequately planned for implementation of PIV for logical access in\n         accordance with government policies (HSPD 12, FIPS 201, OMB M-05-24, OMB M-07-06,\n         OMB M-08-01, OMB M-11-11).\n    i. Privileges granted are excessive or result in capability to perform conflicting functions\n         (NIST 800-53, AC-2, AC-6).\n    j. Agency does not use dual accounts for administrators (NIST 800-53, AC-5, AC-6).\n    k. Network devices are not properly authenticated (NIST 800-53, IA-3).\n    l. The process for requesting or approving membership in shared privileged accounts is not\n         adequate in accordance to government policies.\n    m. Use of shared privileged accounts is not necessary or justified.\n    n. When shared accounts are used, the Agency does not renew shared account credentials\n         when a member leaves the group.\n    o. Other\n    p. Explanation for Other\n\n                  DHS does not use multi-factor authentication for access and identity management. However, DHS\n                  is in the process of deploying HSPD-12 compliant credentials to the entire department with plans to\n                  use the PIV cards for multi-factor authentication in FY 2012.\n22. Comments:\n\n\n\n\n                        Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2011\n\n\n                                                      Page 45\n\n\x0c Appendix K\n Status of Continuous Monitoring Program\n\n                          Section 9: Status of Continuous Monitoring Program\n                                                                                                           Response:\n23. Check one:\n A. The Agency has established an enterprise-wide continuous monitoring program that assesses the\n    security state of information systems that is consistent with FISMA requirements, OMB policy,\n    and applicable NIST guidelines. Although improvement opportunities may have been identified\n    by the OIG, the program includes the following attributes:\n    1. Documented policies and procedures for continuous monitoring.                                           \xef\xbf\xbd\n    2. Documented strategy and plans for continuous monitoring.\n    3. Ongoing assessments of security controls (system-specific, hybrid, and common) that have\n        been performed based on the approved continuous monitoring plans.\n    4. Provides authorizing officials and other key system officials with security status reports\n        covering updates to security plans and security assessment reports, as well as POA&M\n        additions and updates with the frequency defined in the strategy and/or plans.\n B. The Agency has established an enterprise-wide continuous monitoring program that assesses the\n    security state of information systems. However, the Agency needs to make significant\n    improvements as noted below.\n C. The Agency has not established a continuous monitoring program.\n\n24. If B. is checked above, check areas that need significant improvement:\n    a. Continuous monitoring policy is not fully developed (NIST 800-53: CA-7).\n    b. Continuous monitoring procedures are not fully developed (NIST 800-53: CA-7).\n    c. Continuous monitoring procedures are not consistently implemented (NIST 800-53: CA-7;\n         800-37 Rev 1, Appendix G).\n    d. Strategy or plan has not been fully developed for enterprise-wide continuous monitoring\n         (NIST 800-37 Rev 1, Appendix G).\n    e. Ongoing assessments of security controls (system-specific, hybrid, and common) have not\n         been performed (NIST 800-53, NIST 800-53A).\n    f. The following were not provided to the authorizing official or other key system officials:\n         security status reports covering continuous monitoring results, updates to security plans,\n         security assessment reports, and POA&Ms (NIST 800-53, NIST 800-53A).\n    g. Other\n    h. Explanation for Other\n\n                   DHS has established an entity-wide continuous monitoring program that assesses the security state\n                   of information systems that is generally consistent with NIST and OMB FISMA requirements. For\n                   example, DHS requires components to complete NIST SP 800-53 assessments and key control\n                   reviews. In addition, we determined that:\n\n                       DHS has developed policies and procedures to implement its continuous monitoring functions\n                       and requirements. For example, CISO developed the DHS IT Security Continuous Monitoring\n25. Comments:\n                       Strategy: An Enterprise View in January 2011.\n                       DHS\xe2\x80\x99 revised continuous monitoring program is now focused at the asset level, which includes\n                       the monitoring of system vulnerabilities, configuration settings, malware, patch information,\n                       hardware, and software installed on its systems.\n                       Not all components have provided authorizing officials with up-to-date security status reports\n                       and documentation for all security authorization packages. For example, during our review of\n                       28 system security plans, we identified three instances where documentation was out of date.\n\n\n\n\n                         Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2011\n\n\n                                                      Page 46\n\n\x0c Appendix L\n Status of Contingency Planning Program\n\n                         Section 10: Status of Contingency Planning Program\n                                                                                                    Response:\n26. Check one:\n A. The Agency established and is maintaining an enterprise-wide business continuity/disaster\n    recovery program that is consistent with FISMA requirements, OMB policy, and applicable\n    NIST guidelines. Although improvement opportunities may have been identified by the OIG,\n    the program includes the following attributes:\n    1. Documented business continuity and disaster recovery policy providing the authority and\n        guidance necessary to reduce the impact of a disruptive event or disaster.\n    2. The agency has performed an overall Business Impact Analysis (BIA).                             \xef\xbf\xbd\n    3. Development and documentation of division, component, and IT infrastructure recovery\n        strategies, plans and procedures.\n    4. Testing of system specific contingency plans.\n    5. The documented business continuity and disaster recovery plans are in place and can be\n        implemented when necessary.\n    6. Development of test, training, and exercise (TT&E) programs.\n    7. Performance of regular ongoing testing or exercising of business continuity/disaster\n        recovery plans to determine effectiveness and to maintain current plans.\n B. The Agency has established and is maintaining an enterprise-wide business continuity/disaster\n    recovery program. However, the Agency needs to make significant improvements as noted\n    below.\n C. The Agency has not established a business continuity/disaster recovery program.\n\n27. If B. is checked above, check areas that need significant improvement:\n    a. Contingency planning policy is not fully developed and contingency planning policy is not\n         consistently implemented (NIST 800-53: CP-1).\n    b. Contingency planning procedures are not fully developed (NIST 800-53: CP-1).\n    c. Contingency planning procedures are not consistently implemented (NIST 800-53; 800-34).\n    d. An overall business impact assessment has not been performed (NIST SP 800-34).\n    e. Development of organization, component, or infrastructure recovery strategies and plans\n         has not been accomplished (NIST SP 800-34).\n    f. A business continuity/disaster recovery plan has not been developed (FCD1, NIST SP\n         800-34).\n    g. A business continuity/disaster recovery plan has been developed, but not fully\n         implemented (FCD1, NIST SP 800-34).\n    h. System contingency plans missing or incomplete (FCD1, NIST SP 800-34, NIST SP\n         800-53).\n    i. Systems contingency plans are not tested (FCD1, NIST SP 800-34, NIST SP 800-53).\n    j. Test, training, and exercise programs have not been developed (FCD1, NIST SP 800-34,\n         NIST 800-53).\n    k. Test, training, and exercise programs have been developed, but are not fully implemented\n         (FCD1, NIST SP 800-34, NIST SP 800-53).\n    l. After-action report did not address issues identified during contingency/disaster recovery\n         exercises (FCD1, NIST SP 800-34).\n    m. Systems do not have alternate processing sites (FCD1, NIST SP 800-34, NIST SP 800-53).\n    n. Alternate processing sites are subject to the same risks as primary sites (FCD1,\n         NIST SP 800-34, NIST SP 800-53).\n    o. Backups of information are not performed in a timely manner (FCD1, NIST SP 800-34,\n         NIST SP 800-53).\n    p. Backups are not appropriately tested (FCD1, NIST SP 800-34, NIST SP 800-53).\n\n\n\n                        Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2011\n\n\n                                                     Page 47\n\n\x0c  Appendix L\n  Status of Contingency Planning Program\n\n    q. Backups are not properly secured and protected (FCD1, NIST SP 800-34, NIST SP\n       800-53).\n    r. Contingency planning does not consider supply chain threats.\n    s. Other\n    t. Explanation for Other\n                 DHS has established and is maintaining an entity-wide business continuity/disaster recovery\n                 program that is generally consistent with NIST\'s and OMB\'s FISMA requirements. However,\n                 based on our review of 28 security authorization packages, we determined that contingency plans\n                 and/or testing reports for 6 systems are missing certain elements, including the identification of\n                 alternate processing facilities, or restoration procedures, data sensitivity handling procedures at the\n28. Comments: alternate site or offsite storage. In addition, one contingency plan is out of date.\n\n\n\n\n                          Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2011\n\n\n                                                         Page 48\n\n\x0c Appendix M\n Status of Agency Program to Oversee Contractor Systems\n\n\n\n                Section 11: Status of Agency Program to Oversee Contractor Systems\n                                                                                                        Response:\n29. Choose one:\n A. The Agency has established and maintains a program to oversee systems operated on its behalf\n    by contractors or other entities, including Agency systems and services residing in the cloud\n    external to the Agency. Although improvement opportunities may have been identified by the\n    OIG, the program includes the following attributes:\n    1. Documented policies and procedures for information security oversight of systems operated\n        on the Agency\'s behalf by contractors or other entities, including Agency systems and\n        services residing in public cloud.\n    2. The Agency obtains sufficient assurance that security controls of such systems and services\n        are effectively implemented and comply with federal and agency guidelines.\n    3. A complete inventory of systems operated on the Agency\'s behalf by contractors or other             \xef\xbf\xbd\n        entities, including Agency systems and services residing in public cloud.\n    4. The inventory identifies interfaces between these systems and Agency-operated systems.\n    5. The agency requires appropriate agreements (e.g., MOUs, Interconnection Security\n        Agreements, contracts, etc.) for interfaces between these systems and those that it owns and\n        operates.\n    6. The inventory of contractor systems is updated at least annually.\n    7. Systems that are owned or operated by contractors or entities, including Agency systems\n        and services residing in public cloud, are compliant with FISMA requirements, OMB policy,\n        and applicable NIST guidelines.\n B. The Agency has established and maintains a program to oversee systems operated on its behalf\n    by contractors or other entities, including Agency systems and services residing in public cloud.\n    However, the Agency needs to make significant improvements as noted below.\n C. The Agency does not have a program to oversee systems operated on its behalf by contractors or\n    other entities, including Agency systems and services residing in public cloud.\n\n\n\n\n                         Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2011\n\n\n                                                      Page 49\n\n\x0c Appendix M\n Status of Agency Program to Oversee Contractor Systems\n\n\n\n30. If B. is checked above, check areas that need significant improvement:\n    a. Policies to oversee systems operated on the Agency\'s behalf by contractors or other entities,\n         including Agency systems and services residing in public cloud, are not fully developed.\n    b. Procedures to oversee systems operated on the Agency\'s behalf by contractors or other\n         entities, including Agency systems and services residing in public cloud, are not fully\n         developed.\n    c. Procedures to oversee systems operated on the Agency\'s behalf by contractors or other\n         entities, including Agency systems and services residing in public cloud are not consistently\n         implemented.\n    d. The inventory of systems owned or operated by contractors or other entities, including\n         Agency systems and services residing in public cloud, is not complete in accordance with\n         government policies (NIST 800-53: PM-5).\n    e. The inventory does not identify interfaces between contractor/entity-operated systems to\n         Agency owned and operated systems.\n    f. The inventory of contractor/entity-operated systems, including interfaces, is not updated at\n         least annually.\n    g. Systems owned or operated by contractors and entities are not subject to NIST and OMB\'s\n         FISMA requirements (e.g., security requirements).\n    h. Systems owned or operated by contractor\'s and entities do not meet NIST and OMB\'s\n         FISMA requirements (e.g., security requirements).\n    i. Interface agreements (e.g., MOUs) are not properly documented, authorized, or maintained.\n    j. Other\n    k. Explanation for Other\n\n\n\n                       DHS has established and maintains a program to oversee systems operated on its behalf by\n31. Comments:\n                       contractors or other entities.\n\n\n\n\n                         Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2011\n\n\n                                                      Page 50\n\n\x0cAppendix N\nStatus of Security Capital Planning Program\n\n\n\n                        Section 12: Status of Security Capital Planning Program\n                                                                                                      Response:\n32. Check one:\n A. The Agency has established and maintains a security capital planning and investment program\n     for information security. Although improvement opportunities may have been identified by the\n     OIG, the program includes the following attributes:\n     1. Documented policies and procedures to address information security in the capital\n          planning and investment control process.\n     2. Includes information security requirements as part of the capital planning and investment\n          process.                                                                                       \xef\xbf\xbd\n     3. Establishes a discrete line item for information security in organizational programming\n          and documentation.\n     4. Employs a business case/Exhibit 300/Exhibit 53 to record the information security\n          resources required.\n     5. Ensures that information security resources are available for expenditure as planned.\n B. The Agency has established and maintains a capital planning and investment program.\n    However, the Agency needs to make significant improvements as noted below.\n C. The Agency does not have a capital planning and investment program.\n\n33. If B. is checked above, check areas that need significant improvement:\n    a. CPIC information security policy is not fully developed.\n    b. CPIC information security procedures are not fully developed.\n    c. CPIC information security procedures are not consistently implemented.\n    d. The Agency does not adequately plan for IT security during the CPIC process (SP 800-65).\n    e. The Agency does not include a separate line for information security in appropriate\n         documentation (NIST 800-53: SA-2).\n    f. Exhibits 300/53 or business cases do not adequately address or identify information security\n         costs (NIST 800-53: PM-3).\n    g. The Agency does not provide IT security funding to maintain the security levels identified.\n    h. Other\n    i. Explanation for Other\n\n\n\n\n                      Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2011\n\n\n                                                   Page 51\n\n\x0cAppendix N\nStatus of Security Capital Planning Program\n\n\n                        DHS has established and maintains a security capital planning and investment program for \n\n                        information security. For example:\n\n\n                          DHS bases its CPIC process on OMB\xe2\x80\x99s Circular A-11, Part 7 - Planning, Budgeting, \n\n                          Acquisition, and Management of Capital Assets which defines the policies for planning, \n\n34. Comments:             budgeting, acquiring, and managing federal capital assets.20 In addition, DHS developed the \n\n                          CPIC Guide in August 2010. \n\n                          DHS has developed an automated process to help ensure that the Department\xe2\x80\x99s IT and non-IT \n\n                          investments are successfully managed, cost effective, and support DHS\xe2\x80\x99 mission and strategic \n\n                          goals.\n\n                          During FY 2011, DHS has completed 94 Exhibit 300s for its major IT investments.\n\n\n\n\n\n20\n     OMB\xe2\x80\x99s Circular A-11, Part 7 \xe2\x80\x93 Planning, Budgeting, Acquisition, and Management of Capital Assets,\n     June 2008.\n\n\n\n\n                          Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2011\n\n                                                       Page 52\n\x0cAppendix O\nMajor Contributors to this Report\n\n\n                    Information Security Audit Division\n\n                    Chiu-Tong Tsang, Director\n                    Aaron Zappone, Team Lead\n                    Amanda Strickler, IT Specialist\n                    Michael Kim, IT Auditor\n                    David Bunning, IT Specialist\n                    Joseph Landas, Management/Program Assistant\n                    Angeline De Chiara, Management/Program Assistant\n                    Hannah Schneider, Management/Program Assistant\n                    Gregory Wilson, Management/Program Assistant\n                    Hans Petrich, Management/Program Assistant\n                    Erin Dunham, Referencer\n\n\n\n\n                  Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2011\n\n\n                                               Page 53\n\n\x0cAppendix P\nReport Distribution\n\n\n                      Department of Homeland Security\n\n                      Secretary\n                      Deputy Secretary\n                      Chief of Staff\n                      Deputy Chief of Staff\n                      General Counsel\n                      Executive Secretary\n                      Assistant Secretary for Office of Policy\n                      Assistant Secretary for Office of Public Affairs\n                      Assistant Secretary for Office of Legislative Affairs\n                      Chief Information Officer\n                      Deputy Chief Information Officer\n                      Chief Financial Officer\n                      Chief Information Security Officer\n                      Director, GAO/OIG Liaison Office\n                      Director, Compliance and Oversight Program, Office of CIO\n                      Deputy Director, Compliance and Oversight Program, Office of CIO\n                      Chief Information Officer Audit Liaison\n                      Chief Information Security Officer Audit Liaison\n                      Component CIOs\n                      Component CISOs\n\n                      Office of Management and Budget\n\n                      Chief, Homeland Security Branch\n                      DHS OIG Budget Examiner\n\n                      Congress\n\n                      Congressional Oversight and Appropriations Committees, as\n                      appropriate\n\n\n\n\n                  Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2011\n\n\n                                               Page 54\n\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4100,\nfax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig.\n\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal\nmisconduct relative to department programs or operations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603;\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202) 254-4292;\n\n\xe2\x80\xa2 Email us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n       DHS Office of Inspector General/MAIL STOP 2600,\n       Attention: Office of Investigations - Hotline,\n       245 Murray Drive, SW, Building 410,\n       Washington, DC 20528.\n\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'